Koozali.org: home of the SME Server

How to discover where attack comes from

Offline leonplk

  • *
  • 5
  • +0/-0
How to discover where attack comes from
« on: December 16, 2024, 02:46:34 PM »
Hello, all.
I see the lines like follwoing in the /var/log/secure:
Dec 16 15:38:08 extern auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=support rhost=127.0.0.1
Dec 16 15:37:40 extern auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=soporte rhost=127.0.0.1
and many other stupid ruser names.
After 2 days struggle with attempt to understand where this comes from also with ChatGPT help I give up - can't find the source IP of the attacker to block him.
Can someone more experienced help me with this?
Many thanks.

Offline bunkobugsy

  • *
  • 300
  • +4/-0
Re: How to discover where attack comes from
« Reply #1 on: December 16, 2024, 06:23:35 PM »
Look in qpsmtpd or sqpsmtpd logs at those times.
Install https://wiki.koozali.org/Fail2ban

Offline ReetP

  • *
  • 3,892
  • +6/-0
Re: How to discover where attack comes from
« Reply #2 on: December 17, 2024, 06:21:18 PM »
> ChatGPT

For debugging Koozali SME it is probably worse than useless as it doesn't understand properly about events, actions and templates. Koozali is not quite a standard Linux server. Treat the information ChatGPT gives you with extreme caution. My web dev tried it and half broke my server before his changes were lost again on a reconfigure.

You are better off searching and reading here, and the wiki. This has been answered many times before (so much for ChatGPT then.....)

Logs for your incoming mail are here:

/var/log/qpsmtpd/current

Best thing to use is Geoip to block the worst offenders.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline leonplk

  • *
  • 5
  • +0/-0
Re: How to discover where attack comes from
« Reply #3 on: December 18, 2024, 03:20:05 PM »
Thousands of thanks!!
It worked - my fail2ban was missing the correct sqpsmtpd configuration!
The main issue was with time stamp - needed to convert it from tai64n...
Now all works (with the help of ChatGPT - I tought it to remember that this is SME10).
Thanks a lot again!

Offline ReetP

  • *
  • 3,892
  • +6/-0
Re: How to discover where attack comes from
« Reply #4 on: December 18, 2024, 07:39:17 PM »
the help of ChatGPT

Like I said before - with Koozali just don't.

You don't know enough to know if it is telling you the truth or lying convincingly......

The latter will get you in big trouble one day.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation