Continue with this post of mine https://www.virtualmin.com/node/26271 After some configuration of postfix, the mail log look normal. However a half day passed, a large number of smtp retry on my server
pr 12 20:30:42 host2 postfix/smtpd[3369]: too many errors after AUTH from unknown[87.103.212.173]
Apr 12 20:30:42 host2 postfix/smtpd[3369]: disconnect from unknown[87.103.212.173]
Apr 12 20:30:42 host2 postfix/smtpd[11206]: too many errors after AUTH from unknown[177.0.80.164]
Apr 12 20:30:42 host2 postfix/smtpd[11206]: disconnect from unknown[177.0.80.164]
Apr 12 20:30:42 host2 postfix/smtpd[9331]: too many errors after AUTH from unknown[177.4.185.106]
Apr 12 20:30:42 host2 postfix/smtpd[9331]: disconnect from unknown[177.4.185.106]
Apr 12 20:30:42 host2 postfix/smtpd[7364]: too many errors after AUTH from unknown[200.102.52.154]
Apr 12 20:30:42 host2 postfix/smtpd[7364]: disconnect from unknown[200.102.52.154]
Apr 12 20:30:42 host2 postfix/smtpd[3369]: connect from static-35-238-132-188.sadecehosting.net[188.132.238.35]
Apr 12 20:30:42 host2 postfix/smtpd[11206]: connect from mail.trustlibertyinsurance.com[173.161.193.81]
Apr 12 20:30:42 host2 postfix/smtpd[9331]: connect from h85.129.40.162.static.ip.windstream.net[162.40.129.85]
Apr 12 20:30:42 host2 postfix/smtpd[5895]: warning: hostname 189-111-158-31.dsl.telesp.net.br does not resolve to address 189.111.158.31: Name or service not known
Apr 12 20:30:42 host2 postfix/smtpd[5895]: connect from unknown[189.111.158.31]
Apr 12 20:30:42 host2 postfix/smtpd[4101]: lost connection after CONNECT from unknown[189.59.15.173]
Apr 12 20:30:42 host2 postfix/smtpd[4101]: disconnect from unknown[189.59.15.173]
Apr 12 20:30:42 host2 postfix/smtpd[4101]: connect from unknown[61.100.1.118]
Apr 12 20:30:42 host2 postfix/smtpd[4761]: warning: hostname dsl-189-155-99-74-dyn.prod-infinitum.com.mx does not resolve to address 189.155.99.74: Name or service not known
Apr 12 20:30:42 host2 postfix/smtpd[4761]: connect from unknown[189.155.99.74]
Apr 12 20:30:42 host2 postfix/smtpd[7364]: warning: hostname 177-103-161-113.dsl.telesp.net.br does not resolve to address 177.103.161.113: Name or service not known
Apr 12 20:30:42 host2 postfix/smtpd[7364]: connect from unknown[177.103.161.113]
Apr 12 20:30:43 host2 postfix/smtpd[3618]: warning: unknown[189.73.92.128]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[4737]: warning: unknown[189.111.154.120]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[9103]: warning: unknown[202.146.225.79]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[7737]: warning: unknown[189.11.71.90]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[2699]: warning: 189-47-136-32.dsl.telesp.net.br[189.47.136.32]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[5454]: warning: unknown[121.140.124.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[6154]: warning: unknown[58.185.113.150]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[6590]: warning: 189-19-18-112.dsl.telesp.net.br[189.19.18.112]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[2709]: warning: unknown[64.191.128.86]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[6851]: warning: unknown[187.11.141.128]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[4296]: warning: unknown[201.6.125.112]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[6690]: warning: unknown[122.166.225.65]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[7126]: warning: unknown[177.23.136.178]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[6636]: warning: unknown[201.31.226.131]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 12 20:30:43 host2 postfix/smtpd[6154]: too many errors after AUTH from unknown[58.185.113.150]
Apr 12 20:30:43 host2 postfix/smtpd[5454]: too many errors after AUTH from unknown[121.140.124.17]
Apr 12 20:30:43 host2 postfix/smtpd[6154]: disconnect from unknown[58.185.113.150]
Apr 12 20:30:43 host2 postfix/smtpd[5454]: disconnect from unknown[121.140.124.17]
Apr 12 20:30:43 host2 postfix/smtpd[2699]: too many errors after AUTH from 189-47-136-32.dsl.telesp.net.br[189.47.136.32]
Apr 12 20:30:43 host2 postfix/smtpd[2699]: disconnect from 189-47-136-32.dsl.telesp.net.br[189.47.136.32]
Apr 12 20:30:43 host2 postfix/smtpd[9103]: too many errors after AUTH from unknown[202.146.225.79]
Apr 12 20:30:43 host2 postfix/smtpd[9103]: disconnect from unknown[202.146.225.79]
Apr 12 20:30:43 host2 postfix/smtpd[7737]: too many errors after AUTH from unknown[189.11.71.90]
Apr 12 20:30:43 host2 postfix/smtpd[2709]: too many errors after AUTH from unknown[64.191.128.86]
Apr 12 20:30:43 host2 postfix/smtpd[2709]: disconnect from unknown[64.191.128.86]
Apr 12 20:30:43 host2 postfix/smtpd[6590]: too many errors after AUTH from 189-19-18-112.dsl.telesp.net.br[189.19.18.112]
How to deal with this malicious connection? These connections are almost non-stop retrying.....
Howdy,
That's unfortunate! It looks like you have quite a few bots trying to guess passwords.
I might suggest blocking the IP addresses of the offenders.
You can do that via a firewall.
Or, a quick and simple way to do that via the command line is to run this command:
route add -host x.x.x.x rejectWhere "x.x.x.x" is the IP address of the host you wish to block.
-Eric
I will do the following 1. static block a whole country ips like from Afghanistan,Argentina, Brazil 2. dynamic banning of ip thru fail2ban for certain failed retries.
Will the ip banned by fail2ban lost after a system reboot ?
I'm not sure, unfortunately... I don't know all the details of how Fail2Ban works.
That may even be a Fail2Ban setting -- you might be able to set whether they are retained after a reboot.
-Eric