#1  
Old 29th September 2009, 16:00
dclardy dclardy is offline
Senior Member
 
Join Date: Sep 2009
Location: Dallas, TX
Posts: 347
Thanks: 10
Thanked 47 Times in 28 Posts
Default Attacks on MTA

How can I prevent these? I configured the Fail2Ban using Falko's tutorial. I figure it is only a matter of time until they get in.

Code:
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:53 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:54 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:54 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 28 01:04:44 server1 pop3d: Maximum connection limit reached for ::ffff:81.82.241.67
Sep 28 01:04:45 server1 pop3d: Maximum connection limit reached for ::ffff:81.82.241.67
Sep 28 06:30:32 server1 postfix/smtpd[23691]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:30:44 server1 postfix/smtpd[23709]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:30:55 server1 postfix/smtpd[23711]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:07 server1 postfix/smtpd[23712]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:18 server1 postfix/smtpd[23719]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:30 server1 postfix/smtpd[23720]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:41 server1 postfix/smtpd[23721]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:53 server1 postfix/smtpd[23722]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:04 server1 postfix/smtpd[23723]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:16 server1 postfix/smtpd[23730]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:28 server1 postfix/smtpd[23731]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:39 server1 postfix/smtpd[23732]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:51 server1 postfix/smtpd[23733]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Any help would be appreciated. These are not being blocked by Fail2Ban.
Reply With Quote
Sponsored Links
  #2  
Old 29th September 2009, 16:05
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default

They are not banned as you probably did not create a rule to do so.
Have a look at your jail.local, and create a rule for pop3d
Reply With Quote
  #3  
Old 29th September 2009, 16:08
dclardy dclardy is offline
Senior Member
 
Join Date: Sep 2009
Location: Dallas, TX
Posts: 347
Thanks: 10
Thanked 47 Times in 28 Posts
Default

This the configuration for pop3 in fail2ban.

Code:
[courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5
Here is the error in fail2ban:

Code:
2009-09-27 06:25:03,593 fail2ban.comm : WARNING Invalid command: ['add', 'courierpop3', 'polling']
Reply With Quote
  #4  
Old 29th September 2009, 16:20
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default

Are you using courierpop3?

The rule that you need does probably look something like this (NOT TESTED!)

[pop3d]

enabled = true
port = pop3
filter = pop3d
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5

Basicaly the rule scans your mail.log file for the text "pop3d: LOGIN FAILED", and logs the IP who is causig the LOGIN FAILED.
After a maxretry of 5 times fail2ban will kick in, and block that IP.

Make sure that you restart fail2ban after adding this.

Last edited by edge; 29th September 2009 at 16:25.
Reply With Quote
  #5  
Old 29th September 2009, 16:50
dclardy dclardy is offline
Senior Member
 
Join Date: Sep 2009
Location: Dallas, TX
Posts: 347
Thanks: 10
Thanked 47 Times in 28 Posts
 
Default

It still does not work. Does anyone have a working jail.local file? I am using the Perfect Server Debian Lenny and ISPConfig 3.0.1.4. It would be a big help.

Thanks.

Last edited by dclardy; 29th September 2009 at 23:31.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
smtp block brute force attacks tal56 General 13 18th November 2010 16:21
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 12:20
Server attacks, where they originate from? tomde Smalltalk 4 12th August 2008 10:22
2 MTA using the same Virtusertable??? mccyberix Tips/Tricks/Mods 5 31st October 2007 09:47
Help understanding how mail server should be setup micko_escalade Server Operation 51 12th February 2006 07:25


All times are GMT +2. The time now is 10:14.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.