#1  
Old 6th October 2008, 04:56
cat cat is offline
Member
 
Join Date: Sep 2008
Location: Australia
Posts: 40
Thanks: 9
Thanked 3 Times in 3 Posts
Default Relay access attempts

I am receiving the entries below in my mail log on a regular basis. Some times many times on one day. This IP address is not the only one making this attempt, there are several.

Is this a problem or potential problem?
Is there a way to block all attempts from these IP addresses?

Quote:
Oct 5 07:41:10 myserver postfix/smtpd[1877]: connect from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:11 myserver postfix/smtpd[1877]: lost connection after EHLO from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:11 myserver postfix/smtpd[1877]: disconnect from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:11 myserver postfix/smtpd[1877]: connect from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:16 myserver postfix/smtpd[1877]: warning: 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]: SASL LOGIN authentication failed: authentication failure
Oct 5 07:41:17 myserver postfix/smtpd[1877]: lost connection after AUTH from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:41:17 myserver postfix/smtpd[1877]: disconnect from 124-8-106-88.dynamic.tfn.net.tw[124.8.106.88]
Oct 5 07:44:37 myserver postfix/anvil[1882]: statistics: max connection rate 2/60s for (smtp:124.8.106.88) at Oct 5 07:41:11
Oct 5 07:44:37 myserver postfix/anvil[1882]: statistics: max connection count 1 for (smtp:124.8.106.88) at Oct 5 07:41:10
Oct 5 07:44:37 myserver postfix/anvil[1882]: statistics: max cache size 1 at Oct 5 07:41:10
Oct 5 08:54:16 myserver postfix/smtpd[3677]: connect from 118-161-48-181.dynamic.hinet.net[118.161.48.181]
Oct 5 08:54:20 myserver postfix/smtpd[3677]: NOQUEUE: reject: RCPT from 118-161-48-181.dynamic.hinet.net[118.161.48.181]: 554 5.7.1 <vjd39hww@yahoo.com.tw>: Relay access denied; from=<ttc585ttc585@yahoo.com.tw> to=<vjd39hww@yahoo.com.tw> proto=SMTP helo=<203.171.121.69>
Oct 5 08:54:21 myserver postfix/smtpd[3677]: lost connection after RCPT from 118-161-48-181.dynamic.hinet.net[118.161.48.181]
Oct 5 08:54:21 myserver postfix/smtpd[3677]: disconnect from 118-161-48-181.dynamic.hinet.net[118.161.48.181]
Oct 5 08:57:41 myserver postfix/anvil[3679]: statistics: max connection rate 1/60s for (smtp:118.161.48.181) at Oct 5 08:54:16
Oct 5 08:57:41 myserver postfix/anvil[3679]: statistics: max connection count 1 for (smtp:118.161.48.181) at Oct 5 08:54:16
Oct 5 08:57:41 myserver postfix/anvil[3679]: statistics: max cache size 1 at Oct 5 08:54:16
Reply With Quote
Sponsored Links
  #2  
Old 6th October 2008, 10:03
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,504
Thanks: 813
Thanked 5,265 Times in 4,129 Posts
Default

Quote:
Is this a problem or potential problem?
No, thats normal. This are just some guys who want to use your server to send spam.

Quote:
Is there a way to block all attempts from these IP addresses?
There are severla ways, one way is:

/sbin/route add -host 124.8.106.88 reject

Or you take a look at fail2ban and denyhosts.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
cat (6th October 2008)
  #3  
Old 17th November 2008, 09:43
cat cat is offline
Member
 
Join Date: Sep 2008
Location: Australia
Posts: 40
Thanks: 9
Thanked 3 Times in 3 Posts
Default fail2ban permanently banning a persistent offenders

I have fail2ban installed and working, it is banning relay access attempts amongst others. However I have several IP’s that are being persistent and have worked out that they are only banned for a while so they try and when they get banned they wait for a bit and then try again, after they have been unbanded.

I know that I can block IP’s with iptables manually and I have tried this however some program on my system (and I think it was fail2ban) has rewritten the iptables and removed all of my additions.

I went back to the fail2ban documentation to see if there was any thing I could do. In the documentation it sais that you can ban “temporarily or permanently”. I have the temporarily working what I want is a way of permanently banning a persistent offenders. Does any one know how to block persistent offenders with fail2ban.

Thanks in advance.
Cat
Reply With Quote
  #4  
Old 17th November 2008, 09:50
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,504
Thanks: 813
Thanked 5,265 Times in 4,129 Posts
Default

As far as I know, fail2ban can ban temporarily or persistent but I dont think that it can ban only some IP's temporarily. What you might use to ban some IP's permanently is this command, which should not collide with the fail2ban iptables rules:

/sbin/route add -host 192.168.0.1 reject
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
cat (20th November 2008)
  #5  
Old 20th November 2008, 07:02
cat cat is offline
Member
 
Join Date: Sep 2008
Location: Australia
Posts: 40
Thanks: 9
Thanked 3 Times in 3 Posts
Default I am unsure that fail2ban is working

fail2ban was updated a day or two ago when I ran update manager. This usually does not cause any problems.
After the update I noticed some new information when I ran iptables -L

From iptables -L
Quote:
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-named-refused-tcp tcp -- anywhere anywhere multiport dports domain,953
fail2ban-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-courierauth tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-apache tcp -- anywhere anywhere multiport dports www
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-couriersmtp tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-apache-overflows tcp -- anywhere anywhere multiport dports www,https
fail2ban-apache-multiport tcp -- anywhere anywhere multiport dports www,https
fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh
fail2ban-named-refused-udp udp -- anywhere anywhere multiport dports domain,953
fail2ban-apache-noscript tcp -- anywhere anywhere multiport dports www
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Is this correct or is there problem with fail2ban?

I also noticed in the fail2ban.log

From fail2ban.log
Quote:
Nov 20 09:43:09 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:43:45 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:44:49 myserv1 last message repeated 5 times
Nov 20 09:45:53 myserv1 last message repeated 6 times
Nov 20 09:47:00 myserv1 last message repeated 4 times
Nov 20 09:47:42 myserv1 last message repeated 3 times
There does not seem to be anything banning these attempts. When fail2ban use to ban things it would put “ban” on the end of the line, I don’t see that any more. I created a jail.local and added the jails from falkos how to setup fail2ban on Debian. However I had to make most of them “enabled = false” because I got the following error messages.

From fail2ban.log
Quote:
2008-11-19 14:42:08,616 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 09:55:44,518 fail2ban.actions.action: ERROR iptables -N fail2ban-couriersmtp
iptables -A fail2ban-couriersmtp -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-couriersmtp returned 200
2008-11-20 09:55:44,718 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
iptables -A fail2ban-postfix -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-postfix returned 200
2008-11-20 10:23:24,921 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
2008-11-20 11:03:28,170 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j
2008-11-20 11:47:11,684 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j
2008-11-20 11:47:19,780 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 12:12:56,511 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'pop3: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 12:16:15,491 fail2ban.comm : WARNING Invalid command: ['set', 'courierimap', 'failregex', 'imapd: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
2008-11-20 12:18:49,953 fail2ban.comm : WARNING Invalid command: ['set', 'sasl', 'failregex', 'warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed']
2008-11-20 12:20:22,177 fail2ban.comm : WARNING Invalid command: ['set', 'proftpd', 'failregex', 'proftpd: \\(pam_unix\\) authentication failure; .* rhost=<HOST>']
2008-11-20 13:08:47,448 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
I have read every thing I can but I cant find any thing that seems to make a difference. Does any one have any ideas?

from mail.log
Quote:
Nov 20 09:37:58 myserv1 postfix/smtpd[25042]: connect from 118-168-101-96.dynamic.hinet.net[118.168.101.96]
Nov 20 09:37:59 myserv1 postfix/smtpd[25042]: NOQUEUE: reject: RCPT from 118-168-101-96.dynamic.hinet.net[118.168.101.96]: 554 5.7.1 <dcu846eg@yahoo.com.tw>: Relay access denied; from=<ttc585ttc585@yahoo.com.tw> to=<dcu846eg@yahoo.com.tw> proto=SMTP helo=<203.171.121.69>
Nov 20 09:38:00 myserv1 postfix/smtpd[25042]: lost connection after RCPT from 118-168-101-96.dynamic.hinet.net[118.168.101.96]
Nov 20 09:38:00 myserv1 postfix/smtpd[25042]: disconnect from 118-168-101-96.dynamic.hinet.net[118.168.101.96]
Nov 20 09:38:03 myserv1 postfix/smtpd[25042]: connect from localhost[127.0.0.1]
Nov 20 09:38:03 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:38:03 myserv1 postfix/smtpd[25042]: disconnect from localhost[127.0.0.1]
Nov 20 09:38:03 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:38:03 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:38:03 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:41:10 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:41:10 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:41:10 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:41:10 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:41:10 myserv1 postfix/smtpd[25469]: connect from localhost[127.0.0.1]
Nov 20 09:41:10 myserv1 postfix/smtpd[25469]: disconnect from localhost[127.0.0.1]
Nov 20 09:41:23 myserv1 postfix/anvil[25046]: statistics: max connection rate 1/60s for (smtp:118.168.101.96) at Nov 20 09:37:58
Nov 20 09:41:23 myserv1 postfix/anvil[25046]: statistics: max connection count 1 for (smtp:118.168.101.96) at Nov 20 09:37:58
Nov 20 09:41:23 myserv1 postfix/anvil[25046]: statistics: max cache size 1 at Nov 20 09:37:58
Nov 20 09:42:52 myserv1 postfix/smtpd[25469]: connect from 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]
Nov 20 09:43:09 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:43:45 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:44:12 myserv1 last message repeated 2 times
Nov 20 09:44:16 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: connect from localhost[127.0.0.1]
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: disconnect from localhost[127.0.0.1]
Nov 20 09:44:32 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:45:03 myserv1 last message repeated 3 times
Nov 20 09:46:07 myserv1 last message repeated 6 times
Nov 20 09:47:00 myserv1 last message repeated 3 times
Nov 20 09:47:11 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:47:22 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:47:22 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:47:22 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:47:22 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:47:22 myserv1 postfix/smtpd[25961]: connect from localhost[127.0.0.1]
Nov 20 09:47:22 myserv1 postfix/smtpd[25961]: disconnect from localhost[127.0.0.1]
Nov 20 09:47:24 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:47:42 myserv1 postfix/smtpd[25469]: warning: 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]: SASL LOGIN authentication failed: authentication failure
Nov 20 09:47:44 myserv1 postfix/smtpd[25469]: too many errors after AUTH from 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]
Nov 20 09:47:44 myserv1 postfix/smtpd[25469]: disconnect from 124-8-75-8.dynamic.tfn.net.tw[124.8.75.8]
Nov 20 09:50:29 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:50:29 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:50:29 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:50:29 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:50:29 myserv1 postfix/smtpd[26364]: connect from localhost[127.0.0.1]
Nov 20 09:50:29 myserv1 postfix/smtpd[26364]: disconnect from localhost[127.0.0.1]
Nov 20 09:51:04 myserv1 postfix/anvil[25519]: statistics: max connection rate 1/60s for (smtp:124.8.75.8) at Nov 20 09:42:52
Nov 20 09:51:04 myserv1 postfix/anvil[25519]: statistics: max connection count 1 for (smtp:124.8.75.8) at Nov 20 09:42:52
Nov 20 09:51:04 myserv1 postfix/anvil[25519]: statistics: max cache size 1 at Nov 20 09:42:52
Also a separate issue I am getting lots of entries like below in my mail.log file is there a problem there and if not id there a way to stop them from being generated?

From mail.log
Quote:
Nov 20 09:44:16 myserv1 pop3d: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 pop3d: Disconnected, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 pop3d-ssl: Unexpected SSL connection shutdown.
Nov 20 09:44:16 myserv1 imapd: Connection, ip=[::ffff:127.0.0.1]
Nov 20 09:44:16 myserv1 imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: connect from localhost[127.0.0.1]
Nov 20 09:44:16 myserv1 postfix/smtpd[25559]: disconnect from localhost[127.0.0.1]
Thanks for your help
cat
Reply With Quote
  #6  
Old 21st November 2008, 14:35
madmucho madmucho is offline
Senior Member
 
Join Date: Oct 2006
Location: Czech republic, Karlovy Vary
Posts: 158
Thanks: 78
Thanked 11 Times in 11 Posts
Send a message via ICQ to madmucho
Default Hi

AD Code 1 that is normal but your fail2ban have not enable jail , then dont do anything.

AD Code 2 that isnt normal, please check configuration of your fail2ban jails and log paths.

AD Code 3 Connections From localhost is normal, that is ispconfig service check atempts.

Try configure and unerstand fail2ban settings, enable rules only what you need, and add your ip to ingoreip list :-) because you can be baned to while configuring and making tests :-).
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix: 554 5.7.1 Relay access denied Crog Server Operation 4 26th March 2010 14:19
Relay Access Denied, Outlook (Ubuntu Server) wurzel Server Operation 2 25th June 2008 21:46
postfix 554 Relay access denied ratcateme Server Operation 1 29th May 2008 18:52
relay access denied with virtual emails setup in mysql tkaman2 Server Operation 22 2nd January 2008 22:34
Questions in regards to ISP-Server Setup - Ubuntu 5.10 "Breezy Badger" rbrantley HOWTO-Related Questions 16 10th April 2006 18:26


All times are GMT +2. The time now is 01:52.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.