HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Attacks on MTA (http://www.howtoforge.com/forums/showthread.php?t=39741)

dclardy 29th September 2009 16:00

Attacks on MTA
 
How can I prevent these? I configured the Fail2Ban using Falko's tutorial. I figure it is only a matter of time until they get in.

Code:

Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:53 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:54 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:54 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 28 01:04:44 server1 pop3d: Maximum connection limit reached for ::ffff:81.82.241.67
Sep 28 01:04:45 server1 pop3d: Maximum connection limit reached for ::ffff:81.82.241.67
Sep 28 06:30:32 server1 postfix/smtpd[23691]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:30:44 server1 postfix/smtpd[23709]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:30:55 server1 postfix/smtpd[23711]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:07 server1 postfix/smtpd[23712]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:18 server1 postfix/smtpd[23719]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:30 server1 postfix/smtpd[23720]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:41 server1 postfix/smtpd[23721]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:53 server1 postfix/smtpd[23722]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:04 server1 postfix/smtpd[23723]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:16 server1 postfix/smtpd[23730]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:28 server1 postfix/smtpd[23731]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:39 server1 postfix/smtpd[23732]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:51 server1 postfix/smtpd[23733]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure

Any help would be appreciated. These are not being blocked by Fail2Ban.

edge 29th September 2009 16:05

They are not banned as you probably did not create a rule to do so.
Have a look at your jail.local, and create a rule for pop3d

dclardy 29th September 2009 16:08

This the configuration for pop3 in fail2ban.

Code:

[courierpop3]

enabled  = true
port    = pop3
filter  = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5

Here is the error in fail2ban:

Code:

2009-09-27 06:25:03,593 fail2ban.comm : WARNING Invalid command: ['add', 'courierpop3', 'polling']

edge 29th September 2009 16:20

Are you using courierpop3?

The rule that you need does probably look something like this (NOT TESTED!)

[pop3d]

enabled = true
port = pop3
filter = pop3d
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5

Basicaly the rule scans your mail.log file for the text "pop3d: LOGIN FAILED", and logs the IP who is causig the LOGIN FAILED.
After a maxretry of 5 times fail2ban will kick in, and block that IP.

Make sure that you restart fail2ban after adding this.

dclardy 29th September 2009 16:50

It still does not work. Does anyone have a working jail.local file? I am using the Perfect Server Debian Lenny and ISPConfig 3.0.1.4. It would be a big help.

Thanks.


All times are GMT +2. The time now is 08:22.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.