HIDS 3357
Rule 3357 | |
---|---|
Status | Active |
Alert Message | Multiple SASL authentication failures. |
Contents |
Description
This rule reports when your systems mail server has rejected multiple attempts to authenticate. By default this is 6 failures within a 120 second period. Typically this occurs with brute force authentication attempts.
ASL does not control or configure this behavior, it merely reports when this occurs. Therefore, if your mail server or other daemon is incorrectly rejecting authentication from one of your users you will need to configure your mail server, or other daemon, correctly. Please contact the vendor for this service for assistance with configuring it.
Disabling this rule will not allow your users to authenticate to the service. It will simply "silence" the alert in ASL, however the users authentication will still be rejected by the service.
Troubleshooting
False Positives
A False Positive may occur if many users are located behind the same IP address, and they are all failing to authenticate properly within 120 seconds. We recommend you correct the authentication credentials before you disable this rule. Its is highly unusual for multiple users to experience authenticate failures at the same time.
Tuning Guidance
If you wish to not block these connections, just disable Active Response in the ASL rule manager.
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.
Notes
Example log messages:
host postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:22 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:18 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:14 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:14 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:10 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:06 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:06 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure