HIDS 3357

From Atomicorp Wiki
Revision as of 17:04, 25 September 2012 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Rule 3357
Status Active
Alert Message Multiple SASL authentication failures.

Contents

Description

This rule reports when your systems mail server has rejected multiple attempts to authenticate. By default this is 6 failures within a 120 second period. Typically this occurs with brute force authentication attempts.

ASL does not control or configure this behavior, it merely reports when this occurs. Therefore, if your mail server or other daemon is incorrectly rejecting authentication from one of your users you will need to configure your mail server, or other daemon, correctly. Please contact the vendor for this service for assistance with configuring it.

Disabling this rule will not allow your users to authenticate to the service. It will simply "silence" the alert in ASL, however the users authentication will still be rejected by the service.

Troubleshooting

False Positives

A False Positive may occur if many users are located behind the same IP address, and they are all failing to authenticate properly within 120 seconds. We recommend you correct the authentication credentials before you disable this rule. Its is highly unusual for multiple users to experience authenticate failures at the same time.

Tuning Guidance

If you wish to not block these connections, just disable Active Response in the ASL rule manager.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Example log messages:

host postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:22 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:18 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:14 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:14 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:10 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:06 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:06 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure

Personal tools