HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   Relay access attempts (http://www.howtoforge.com/forums/showthread.php?t=27511)

cat 6th October 2008 04:56

Relay access attempts
 
I am receiving the entries below in my mail log on a regular basis. Some times many times on one day. This IP address is not the only one making this attempt, there are several.

Is this a problem or potential problem?
Is there a way to block all attempts from these IP addresses?

Quote:

Oct 5 07:41:10 myserver postfix/smtpd[1877]: connect from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:11 myserver postfix/smtpd[1877]: lost connection after EHLO from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:11 myserver postfix/smtpd[1877]: disconnect from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:11 myserver postfix/smtpd[1877]: connect from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:16 myserver postfix/smtpd[1877]: warning: 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]: SASL LOGIN authentication failed: authentication failure
Oct 5 07:41:17 myserver postfix/smtpd[1877]: lost connection after AUTH from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:17 myserver postfix/smtpd[1877]: disconnect from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:44:37 myserver postfix/anvil[1882]: statistics: max connection rate 2/60s for (smtp:124.8.106.88) at Oct 5 07:41:11
Oct 5 07:44:37 myserver postfix/anvil[1882]: statistics: max connection count 1 for (smtp:124.8.106.88) at Oct 5 07:41:10
Oct 5 07:44:37 myserver postfix/anvil[1882]: statistics: max cache size 1 at Oct 5 07:41:10
Oct 5 08:54:16 myserver postfix/smtpd[3677]: connect from 118-161-48-181.dynamic.hinet.net[118.161.48.181]
Oct 5 08:54:20 myserver postfix/smtpd[3677]: NOQUEUE: reject: RCPT from 118-161-48-181.dynamic.hinet.net[118.161.48.181]: 554 5.7.1 <vjd39hww@yahoo.com.tw>: Relay access denied; from=<ttc585ttc585@yahoo.com.tw> to=<vjd39hww@yahoo.com.tw> proto=SMTP helo=<203.171.121.69>
Oct 5 08:54:21 myserver postfix/smtpd[3677]: lost connection after RCPT from 118-161-48-181.dynamic.hinet.net[118.161.48.181]
Oct 5 08:54:21 myserver postfix/smtpd[3677]: disconnect from 118-161-48-181.dynamic.hinet.net[118.161.48.181]
Oct 5 08:57:41 myserver postfix/anvil[3679]: statistics: max connection rate 1/60s for (smtp:118.161.48.181) at Oct 5 08:54:16
Oct 5 08:57:41 myserver postfix/anvil[3679]: statistics: max connection count 1 for (smtp:118.161.48.181) at Oct 5 08:54:16
Oct 5 08:57:41 myserver postfix/anvil[3679]: statistics: max cache size 1 at Oct 5 08:54:16

till 6th October 2008 10:03

Quote:

Is this a problem or potential problem?
No, thats normal. This are just some guys who want to use your server to send spam.

Quote:

Is there a way to block all attempts from these IP addresses?
There are severla ways, one way is:

/sbin/route add -host 124.8.106.88 reject

Or you take a look at fail2ban and denyhosts.

cat 17th November 2008 09:43

fail2ban permanently banning a persistent offenders
 
I have fail2ban installed and working, it is banning relay access attempts amongst others. However I have several IP’s that are being persistent and have worked out that they are only banned for a while so they try and when they get banned they wait for a bit and then try again, after they have been unbanded.

I know that I can block IP’s with iptables manually and I have tried this however some program on my system (and I think it was fail2ban) has rewritten the iptables and removed all of my additions.

I went back to the fail2ban documentation to see if there was any thing I could do. In the documentation it sais that you can ban “temporarily or permanently”. I have the temporarily working what I want is a way of permanently banning a persistent offenders. Does any one know how to block persistent offenders with fail2ban.

Thanks in advance.
Cat

till 17th November 2008 09:50

As far as I know, fail2ban can ban temporarily or persistent but I dont think that it can ban only some IP's temporarily. What you might use to ban some IP's permanently is this command, which should not collide with the fail2ban iptables rules:

/sbin/route add -host 192.168.0.1 reject

cat 20th November 2008 07:02

I am unsure that fail2ban is working
 
fail2ban was updated a day or two ago when I ran update manager. This usually does not cause any problems.
After the update I noticed some new information when I ran iptables -L

From iptables -L
Quote:

Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-named-refused-tcp tcp -- anywhere anywhere multiport dports domain,953
fail2ban-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-courierauth tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-apache tcp -- anywhere anywhere multiport dports www
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-couriersmtp tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-apache-overflows tcp -- anywhere anywhere multiport dports www,https
fail2ban-apache-multiport tcp -- anywhere anywhere multiport dports www,https
fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh
fail2ban-named-refused-udp udp -- anywhere anywhere multiport dports domain,953
fail2ban-apache-noscript tcp -- anywhere anywhere multiport dports www
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Is this correct or is there problem with fail2ban?

I also noticed in the fail2ban.log

From fail2ban.log
Quote:

Nov 20 09:43:09 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:43:45 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:44:49 myserv1 last message repeated 5 times
Nov 20 09:45:53 myserv1 last message repeated 6 times
Nov 20 09:47:00 myserv1 last message repeated 4 times
Nov 20 09:47:42 myserv1 last message repeated 3 times
There does not seem to be anything banning these attempts. When fail2ban use to ban things it would put “ban” on the end of the line, I don’t see that any more. I created a jail.local and added the jails from falkos how to setup fail2ban on Debian. However I had to make most of them “enabled = false” because I got the following error messages.

From fail2ban.log
Quote:

2008-11-19 14:42:08,616 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 09:55:44,518 fail2ban.actions.action: ERROR iptables -N fail2ban-couriersmtp
iptables -A fail2ban-couriersmtp -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-couriersmtp returned 200
2008-11-20 09:55:44,718 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
iptables -A fail2ban-postfix -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-postfix returned 200
2008-11-20 10:23:24,921 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
2008-11-20 11:03:28,170 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j
2008-11-20 11:47:11,684 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j
2008-11-20 11:47:19,780 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 12:12:56,511 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'pop3: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 12:16:15,491 fail2ban.comm : WARNING Invalid command: ['set', 'courierimap', 'failregex', 'imapd: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 12:18:49,953 fail2ban.comm : WARNING Invalid command: ['set', 'sasl', 'failregex', 'warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed']
2008-11-20 12:20:22,177 fail2ban.comm : WARNING Invalid command: ['set', 'proftpd', 'failregex', 'proftpd: \\(pam_unix\\) authentication failure; .* rhost=<HOST>']
2008-11-20 13:08:47,448 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
I have read every thing I can but I cant find any thing that seems to make a difference. Does any one have any ideas?

from mail.log
Quote:

Nov 20 09:37:58 myserv1 postfix/smtpd[25042]: connect from 118-168-101-96.dynamic.hinet.net[118.168.101.96]
Nov 20 09:37:59 myserv1 postfix/smtpd[25042]: NOQUEUE: reject: RCPT from 118-168-101-96.dynamic.hinet.net[118.168.101.96]: 554 5.7.1 <dcu846eg@yahoo.com.tw>: Relay access denied; from=<ttc585ttc585@yahoo.com.tw> to=<dcu846eg@yahoo.com.tw> proto=SMTP helo=<203.171.121.69>
Nov 20 09:38:00 myserv1 postfix/smtpd[25042]: lost connection after RCPT from 118-168-101-96.dynamic.hinet.net[118.168.101.96]
Nov 20 09:38:00 myserv1 postfix/smtpd[25042]: disconnect from 118-168-101-96.dynamic.hinet.net[118.168.101.96]
Nov 20 09:38:03 myserv1 postfix/smtpd[25042]: connect from localhost[127.0.0.1]
Nov 20 09:38:03 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:38:03 myserv1 postfix/smtpd[25042]: disconnect from localhost[127.0.0.1]
Nov 20 09:38:03 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:38:03 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:41:10 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:41:10 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:41:10 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:41:10 myserv1 postfix/smtpd[25469]: connect from localhost[127.0.0.1]
Nov 20 09:41:10 myserv1 postfix/smtpd[25469]: disconnect from localhost[127.0.0.1]
Nov 20 09:41:23 myserv1 postfix/anvil[25046]: statistics: max connection rate 1/60s for (smtp:118.168.101.96) at Nov 20 09:37:58
Nov 20 09:41:23 myserv1 postfix/anvil[25046]: statistics: max connection count 1 for (smtp:118.168.101.96) at Nov 20 09:37:58
Nov 20 09:41:23 myserv1 postfix/anvil[25046]: statistics: max cache size 1 at Nov 20 09:37:58
Nov 20 09:42:52 myserv1 postfix/smtpd[25469]: connect from 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]
Nov 20 09:43:09 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:43:45 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:44:12 myserv1 last message repeated 2 times
Nov 20 09:44:16 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: connect from localhost[127.0.0.1]
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: disconnect from localhost[127.0.0.1]
Nov 20 09:44:32 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:45:03 myserv1 last message repeated 3 times
Nov 20 09:46:07 myserv1 last message repeated 6 times
Nov 20 09:47:00 myserv1 last message repeated 3 times
Nov 20 09:47:11 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:47:22 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:47:22 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:47:22 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:47:22 myserv1 postfix/smtpd[25961]: connect from localhost[127.0.0.1]
Nov 20 09:47:22 myserv1 postfix/smtpd[25961]: disconnect from localhost[127.0.0.1]
Nov 20 09:47:24 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:47:42 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:47:44 myserv1 postfix/smtpd[25469]: too many errors after AUTH from 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]
Nov 20 09:47:44 myserv1 postfix/smtpd[25469]: disconnect from 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]
Nov 20 09:50:29 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:50:29 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:50:29 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:50:29 myserv1 postfix/smtpd[26364]: connect from localhost[127.0.0.1]
Nov 20 09:50:29 myserv1 postfix/smtpd[26364]: disconnect from localhost[127.0.0.1]
Nov 20 09:51:04 myserv1 postfix/anvil[25519]: statistics: max connection rate 1/60s for (smtp:124.8.75.8) at Nov 20 09:42:52
Nov 20 09:51:04 myserv1 postfix/anvil[25519]: statistics: max connection count 1 for (smtp:124.8.75.8) at Nov 20 09:42:52
Nov 20 09:51:04 myserv1 postfix/anvil[25519]: statistics: max cache size 1 at Nov 20 09:42:52
Also a separate issue I am getting lots of entries like below in my mail.log file is there a problem there and if not id there a way to stop them from being generated?

From mail.log
Quote:

Nov 20 09:44:16 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: connect from localhost[127.0.0.1]
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: disconnect from localhost[127.0.0.1]
Thanks for your help
cat:eek:

madmucho 21st November 2008 14:35

Hi
 
AD Code 1 that is normal but your fail2ban have not enable jail , then dont do anything.

AD Code 2 that isnt normal, please check configuration of your fail2ban jails and log paths.

AD Code 3 Connections From localhost is normal, that is ispconfig service check atempts.

Try configure and unerstand fail2ban settings, enable rules only what you need, and add your ip to ingoreip list :-) because you can be baned to while configuring and making tests :-).

till 22nd January 2010 16:21

/sbin route is a command and not a file to add something. Just execute the command as it is shown in my post, just replace the IP with the IP that shall be banned.

dayjahone 22nd January 2010 16:29

How do I remove the block if I mess up?

till 22nd January 2010 16:32

See for details:

man route

Example:

/sbin/route del -host 192.168.0.1 reject

dayjahone 22nd January 2010 16:39

Does it work with domains as well?

for example: /sbin/route add -host terra.com reject


All times are GMT +2. The time now is 00:40.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.