# SMTP and PAM Auth



## BillFinkNC (Jul 27, 2021)

Here is my scenario - I've been running FreeBSD for many (many) years. (Please don't ask.) I've a box that's been running 9.3 for YEARS and it's "The" most reliable system in my arsenal of servers.

It's been a couple of years (to say the least) that I've written scripts, (I retired) but this is a reach-out for help and hopefully works.

My logs have been FILLED with: 

```
Jul 26 12:59:01 rmx saslauthd[638]: do_auth         : auth failure: [user=contact] [service=smtp] [realm=mydomain.com] [mech=pam] [reason=PAM auth error]
```
...CONSTANTLY! 

I let it go mostly because my saslauthd (pam) doesn't work, so I thought they'd eventually stop their script(s), but this has been going on for far too long and my syslogs are filled every day.

I'm hoping for help with an easy script that could be written to add their IP to my blackhole routes? Any suggestions? Thank you!


----------



## SirDice (Jul 27, 2021)

FreeBSD 9.3 has been end-of-life since December 2016 and is not supported any more.

Topics about unsupported FreeBSD versions








						Unsupported FreeBSD Releases
					

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.




					www.freebsd.org
				






BillFinkNC said:


> My logs have been FILLED with


Sounds like you're getting hit by one of the many, many bots that are scanning the internet looking for things to exploit. You really, really shouldn't be running outdated software and have it accessible from the internet.


----------



## BillFinkNC (Jul 27, 2021)

SirDice said:


> FreeBSD 9.3 has been end-of-life since December 2016 and is not supported any more.
> 
> Topics about unsupported FreeBSD versions
> 
> ...


Thanks for the advice...and I agree with you. That wouldn't stop that/their attempts and it'd still show up in a security log. I would like a script that would put them in my blackhole routes. My "outdated" box has an uptime of a few years, I've got it pretty well locked down and like most, am skeptical to change what's been working SO WELL for so many years. I trust you understand.


----------



## SirDice (Jul 27, 2021)

BillFinkNC said:


> My "outdated" box has an uptime of a few years


Uptimes are overrated. It just means you haven't been updating. Not something to brag about.



BillFinkNC said:


> I trust you understand.


I trust you understand it's a really, really bad idea to run old and outdated software on the internet in this day and age.


----------



## BillFinkNC (Jul 27, 2021)

SirDice said:


> Uptimes are overrated. It just means you haven't been updating. Not something to brag about.
> 
> 
> I trust you understand it's a really, really bad idea to run old and outdated software on the internet in this day and age.


Why thank you for the help I was hoping for. Should I upgrade to Windows Server 2022?


----------



## SirDice (Jul 27, 2021)

BillFinkNC said:


> Should I upgrade to Windows Server 2022?


No, you should upgrade to FreeBSD 12.2 or 13.0 and update your ports/packages too while you're at it.


----------



## hardworkingnewbie (Jul 27, 2021)

BillFinkNC said:


> Thanks for the advice...and I agree with you. That wouldn't stop that/their attempts and it'd still show up in a security log. I would like a script that would put them in my blackhole routes. My "outdated" box has an uptime of a few years, I've got it pretty well locked down and like most, am skeptical to change what's been working SO WELL for so many years. I trust you understand.


You are running here a MTA connected to the internet according to your topic. MTAs should be only run by people who know what they are doing, and always using the up to date version being available, because otherwise your machine might turn into a SPAM relay, damaging trust into your domain/host IP. And if you are dependent on your email working well then you will be in a lot of trouble clearing things up, getting removed from RBLs and so on.

Obviously you don't know what you are doing, because otherwise you would be able to deal with that type of common scan attacks by your own. fail2ban comes into mind. Furthermore you would always keep on top of that your system always up to date by yourself.

And on top of that you've got the wrong priorities, because you do value your uptime counter higher than operating your host in a safe manner.

So I totally agree with SirDice - upgrade your box and get your priorities right, because otherwise you will be sooner or later in a world of hurt due to your own actions, or lack of.


----------



## BillFinkNC (Jul 27, 2021)

hardworkingnewbie said:


> You are running here a MTA connected to the internet according to your topic. MTAs should be only run by people who know what they are doing, and always using the up to date version being available, because otherwise your machine might turn into a SPAM relay, damaging trust into your domain/host IP. And if you are dependent on your email working well then you will be in a lot of trouble clearing things up, getting removed from RBLs and so on.
> 
> Obviously you don't know what you are doing, because otherwise you would be able to deal with that type of common scan attacks by your own. fail2ban comes into mind. Furthermore you would always keep on top of that your system always up to date by yourself.
> 
> ...


I appreciate all your help, I think I just answered my own question. I appreciate your input.


----------



## BillFinkNC (Jul 27, 2021)

BillFinkNC said:


> I appreciate all your help, I think I just answered my own question. I appreciate your input.


By the way, I'm a network (and Unix) engineer. Again, your input....errrr, opinion versus help
 is appreciated. (I decided to simply block port 25, if that helps you. Smirk.)


----------



## Geezer (Jul 27, 2021)

BillFinkNC said:


> Should I upgrade to Windows Server 2022?



Did you really ask that?


----------



## BillFinkNC (Jul 27, 2021)

What happened to sarcasm? (Block port 25 is what I realized after reading your helpful comment. Thanks so much for your input.  Grin.)


----------



## VladiBG (Jul 27, 2021)

check "fail2ban" it will help you to integrate log monitoring with firewall and reduce those fail attempts.


----------



## BillFinkNC (Jul 27, 2021)

VladiBG said:


> check "fail2ban" it will help you to integrate log monitoring with firewall and reduce those fail attempts.


"The Best" advice yet, thank you. I will look into this. (My original question/answer - I sort-of answered myself. Block port 25 with a utility or 'iperf' sort of fw rule.) Thank you so much!


----------



## SirDice (Jul 27, 2021)

BillFinkNC said:


> By the way, I'm a network (and Unix) engineer.


There are bad and good engineers in every profession. 

Anyway, maybe look at your own threads from six years ago, when 9.3 was actually still supported.








						Other - SSHGuard And SASLAUTHD
					

I have installed security/sshguard and what I'm finding in my logs are an awful lot of these:   Mar 15 06:36:32 rmx saslauthd[18614]: do_auth  : auth failure:  [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]  My assumption here is that security/sshguard isn't going to block anything...




					forums.freebsd.org


----------



## BillFinkNC (Jul 27, 2021)

SirDice said:


> There are bad and good engineers in every profession.
> 
> Anyway, maybe look at your own threads from six years ago, when 9.3 was actually still supported.
> 
> ...


Good Lord, _six_ years ago... I cannot imagine. Thank you for your opinion and input.


----------



## BillFinkNC (Jul 27, 2021)

BillFinkNC said:


> Here is my scenario - I've been running FreeBSD for many (many) years. (Please don't ask.) I've a box that's been running 9.3 for YEARS and it's "The" most reliable system in my arsenal of servers.
> 
> It's been a couple of years (to say the least) that I've written scripts, (I retired) but this is a reach-out for help and hopefully works.
> 
> ...


Thanks for all of your replies, it seems I'm getting more opinions than help to my initial question. Please stop, my original question I answered myself, BLOCK port 25 is the answer.  I appreciate all the input...thank you!


----------

