Difference between revisions of "HIDS 3357"
(Created page with "{{Infobox |header1= Rule 3357 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Multiple SASL authentication failures. }} = Description = This rule reports w...") |
m (→False Positives) |
||
| Line 18: | Line 18: | ||
== False Positives == | == False Positives == | ||
| + | |||
| + | This rule is not caused by [[ASL]]. ASL merely reports the alert from the service on your system that has rejected these authentication requests. | ||
A False Positive may occur if many users are located behind the same IP address, and they are all failing to authenticate properly within 120 seconds. We recommend you correct the authentication credentials before you disable this rule. Its is highly unusual for multiple users to experience authenticate failures at the same time. | A False Positive may occur if many users are located behind the same IP address, and they are all failing to authenticate properly within 120 seconds. We recommend you correct the authentication credentials before you disable this rule. Its is highly unusual for multiple users to experience authenticate failures at the same time. | ||
Latest revision as of 17:48, 25 September 2012
| Rule 3357 | |
|---|---|
| Status | Active |
| Alert Message | Multiple SASL authentication failures. |
Contents |
[edit] Description
This rule reports when your systems mail server has rejected multiple attempts to authenticate. By default this is 6 failures within a 120 second period. Typically this occurs with brute force authentication attempts.
ASL does not control or configure this behavior, it merely reports when this occurs. Therefore, if your mail server or other daemon is incorrectly rejecting authentication from one of your users you will need to configure your mail server, or other daemon, correctly. Please contact the vendor for this service for assistance with configuring it.
Disabling this rule will not allow your users to authenticate to the service. It will simply "silence" the alert in ASL, however the users authentication will still be rejected by the service.
[edit] Troubleshooting
[edit] False Positives
This rule is not caused by ASL. ASL merely reports the alert from the service on your system that has rejected these authentication requests.
A False Positive may occur if many users are located behind the same IP address, and they are all failing to authenticate properly within 120 seconds. We recommend you correct the authentication credentials before you disable this rule. Its is highly unusual for multiple users to experience authenticate failures at the same time.
[edit] Tuning Guidance
If you wish to not block these connections, just disable Active Response in the ASL rule manager.
[edit] Additional Information
[edit] Similar Rules
None.
[edit] Knowledge Base Articles
None.
[edit] Outside References
None.
[edit] Notes
Example log messages:
host postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:22 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:18 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:14 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:14 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:10 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:06 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure Sep 25 17:36:06 dar postfix/smtpd[29004]: warning: unknown[1.2.3.4]: SASL PLAIN authentication failed: authentication failure
