Regarding Brute-force attack "SASL LOGIN authentication failed"

December 14, 2017 1.7k views
Firewall Security Ubuntu

Hello,

In Recent days, I am receiving too many mails which says.

We’ve received a notification that one or more of your Droplets at 104.131.42.133 is participating in Brute-force activities. Please note that we may be required to take further action to prevent additional attacks, up to and including suspension of your Droplet. Should we take this step, we'll send an additional email notifying you that we have done this.

and here is what the log file says.

Dec 10 19:42:20 server postfix/smtpd[12032]: warning: unknown[104.131.42.133]: SASL LOGIN authentication failed: authentication failure
Dec 10 21:38:11 server postfix/smtpd[5181]: warning: unknown[104.131.42.133]: SASL LOGIN authentication failed: authentication failure
Dec 10 21:55:55 server postfix/smtpd[8870]: warning: unknown[104.131.42.133]: SASL LOGIN authentication failed: authentication failure
Dec 10 21:55:55 server postfix/smtpd[9567]: warning: unknown[104.131.42.133]: SASL LOGIN authentication failed: authentication failure
Dec 10 22:22:21 server postfix/smtpd[15567]: warning: unknown[104.131.42.133]: SASL LOGIN authentication failed: authentication failure
Dec 10 22:22:21 server postfix/smtpd[14121]: warning: unknown[104.131.42.133]: SASL LOGIN authentication failed: authentication failure
Dec 10 22:26:55 server postfix/smtpd[16437]: warning: unknown[104.131.42.133]: SASL LOGIN authentication failed: authentication failure
Dec 10 22:55:38 server postfix/smtpd[21080]: warning: unknown[104.131.42.133]: SASL LOGIN authentication failed: authentication failure

I have followed below steps already but still attack continues.

  1. I have setup the lavado.in behind cloudflare to stop brutal force
  2. I have also Installed and configure "iThemes Security" plugin in my WordPress site, which says everything is ok in the wp site
  3. for lavado.in/order (which is developing using codeIgniter framework) I also check and scan the code into our licenced Quick Heal Total Security software which also says it is okay there are no virus
  4. I have also check the databases of wordpress site (lavado.in) and CRM portal (lavado.in/order) and also my dev do not find anything suspicious.
  5. i have also enabled the firewall and you can see that I have enabled two inbound rules.

I have taken all the precautions but still I am getting same email of brutal force activity on my site so I and my developer team are confused which causes this issue and how to resolve this please help. if you can provide us a clue where / which location / which file execution causes this I can ask my dev team to fix them immediately.

Your help is much appreciated, looking forward to your support.

I also raised this point in support ticket (#905232) but no response after 24 hours passed.

Will be waiting to hear from you soon.

NOTE: I just removed Inbound Firewall Rule for SSH 22, I know i will no longer connect to SSH through FTP but I need to resolve this as this is my highest concern at the moment, my whole business is paused due to this.

1 Answer

It might be worthwhile to examine whether your machine is generating brute force attack on other websites - which means, your machine is in compromised state and someone has/had access to your machine.

You might want to disable outbound internet access from the machine and see.
Also you could see if any processes running on your droplet is unknown to you.

Have another answer? Share your knowledge.