PDA

View Full Version : Attacks on MTA


dclardy
29th September 2009, 16:00
How can I prevent these? I configured the Fail2Ban using Falko's tutorial. I figure it is only a matter of time until they get in.

Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:53 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:54 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:54 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 28 01:04:44 server1 pop3d: Maximum connection limit reached for ::ffff:81.82.241.67
Sep 28 01:04:45 server1 pop3d: Maximum connection limit reached for ::ffff:81.82.241.67
Sep 28 06:30:32 server1 postfix/smtpd[23691]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:30:44 server1 postfix/smtpd[23709]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:30:55 server1 postfix/smtpd[23711]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:07 server1 postfix/smtpd[23712]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:18 server1 postfix/smtpd[23719]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:30 server1 postfix/smtpd[23720]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:41 server1 postfix/smtpd[23721]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:53 server1 postfix/smtpd[23722]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:04 server1 postfix/smtpd[23723]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:16 server1 postfix/smtpd[23730]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:28 server1 postfix/smtpd[23731]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:39 server1 postfix/smtpd[23732]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:51 server1 postfix/smtpd[23733]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure

Any help would be appreciated. These are not being blocked by Fail2Ban.

edge
29th September 2009, 16:05
They are not banned as you probably did not create a rule to do so.
Have a look at your jail.local, and create a rule for pop3d

dclardy
29th September 2009, 16:08
This the configuration for pop3 in fail2ban.


[courierpop3]

enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5

Here is the error in fail2ban:

2009-09-27 06:25:03,593 fail2ban.comm : WARNING Invalid command: ['add', 'courierpop3', 'polling']

edge
29th September 2009, 16:20
Are you using courierpop3?

The rule that you need does probably look something like this (NOT TESTED!)

[pop3d]

enabled = true
port = pop3
filter = pop3d
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5

Basicaly the rule scans your mail.log file for the text "pop3d: LOGIN FAILED", and logs the IP who is causig the LOGIN FAILED.
After a maxretry of 5 times fail2ban will kick in, and block that IP.

Make sure that you restart fail2ban after adding this.

dclardy
29th September 2009, 16:50
It still does not work. Does anyone have a working jail.local file? I am using the Perfect Server Debian Lenny and ISPConfig 3.0.1.4. It would be a big help.

Thanks.