found out that my Sophos Cluster is permanently attacked by some host.
i got these entries in the user authentication daemon log:
2015:03:11-14:52:10 vpn-1 aua[3504]: id="3006" severity="info" sys="System" sub="auth" name="Child 21427 is running too long. Terminating child"
2015:03:11-14:52:10 vpn-1 aua[23955]: id="3006" severity="info" sys="System" sub="auth" name="Trying XX.XX.XX.XX (adirectory)"
2015:03:11-14:52:11 vpn-1 aua[23955]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="106.187.98.143" host="" user="linux" caller="smtp" reason="DENIED"
i XX-out my internal IP Adress...
Excactly all 8 mins i got these entry since weeks now (other userentry)...
password guessing is on but seems did not work well.. also i set the ip on blacklist in smtp-proxy..
but the entrys come...
what can i do to get these attacks dropped??
Update:
Get it fixed. Facility "SMTP-Proxy" activated in Block Password guessing module and now the ip is blocked for some time :-)
Too many failed logins from 106.187.98.143 for facility smtp.
Further logins will be blocked for 3600 seconds.
Sophos Cluster
This thread was automatically locked due to age.
