BRUTE FORCE attack?

Discussion in 'Installation/Configuration' started by willoriker, Apr 8, 2020.

  1. willoriker

    willoriker Member

    we have a lot of probelms with mail, and finally, we rebuild a new server. and we begin to work with it this monday (2 days ago)
    but we still have problems with mail, and today i tink to read mail.log, and when i acces to var folder, i find a huge file ( split in 2 parts, mail.log and mail.log.1) , size of 10 Mb and 2 Mb , and when i read it i found entries every FIVE seconds!!
    like this

    Apr 8 17:40:02 mnsvr postfix/smtpd[20610]: lost connection after CONNECT from localhost[::1]
    Apr 8 17:40:02 mnsvr postfix/smtpd[20610]: disconnect from localhost[::1] commands=0/0
    Apr 8 17:40:02 mnsvr dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<vdNEUMmiAOkAAAAAAAAAAAAAAAAAAAAB>
    Apr 8 17:40:02 mnsvr dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<l+REUMmiNtAAAAAAAAAAAAAAAAAAAAAB>
    Apr 8 17:40:11 mnsvr postfix/smtpd[20212]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
    Apr 8 17:40:11 mnsvr postfix/smtpd[20212]: connect from unknown[92.118.38.82]
    Apr 8 17:40:14 mnsvr postfix/smtpd[18461]: connect from unknown[45.142.195.2]
    Apr 8 17:40:22 mnsvr postfix/smtpd[18461]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:40:22 mnsvr postfix/smtpd[20212]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:40:22 mnsvr postfix/smtpd[20212]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 8 17:40:22 mnsvr postfix/smtpd[18461]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 8 17:40:36 mnsvr postfix/smtpd[20610]: connect from unknown[185.234.218.246]
    Apr 8 17:40:38 mnsvr postfix/smtpd[20610]: warning: unknown[185.234.218.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:40:38 mnsvr postfix/smtpd[20610]: disconnect from unknown[185.234.218.246] ehlo=1 auth=0/1 quit=1 commands=2/3
    Apr 8 17:40:45 mnsvr postfix/smtpd[18461]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
    Apr 8 17:40:45 mnsvr postfix/smtpd[18461]: connect from unknown[92.118.38.82]
    Apr 8 17:40:56 mnsvr postfix/smtpd[18461]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:40:56 mnsvr postfix/smtpd[18461]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 8 17:41:05 mnsvr postfix/smtpd[20212]: connect from unknown[45.142.195.2]
    Apr 8 17:41:13 mnsvr postfix/smtpd[20212]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:41:13 mnsvr postfix/smtpd[20212]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 8 17:41:19 mnsvr postfix/smtpd[18461]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
    Apr 8 17:41:19 mnsvr postfix/smtpd[18461]: connect from unknown[92.118.38.82]
    Apr 8 17:41:30 mnsvr postfix/smtpd[18461]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:41:32 mnsvr postfix/smtpd[18461]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 8 17:41:52 mnsvr postfix/smtpd[20610]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
    Apr 8 17:41:52 mnsvr postfix/smtpd[20610]: connect from unknown[92.118.38.82]
    Apr 8 17:41:56 mnsvr postfix/smtpd[20212]: connect from unknown[45.142.195.2]
    Apr 8 17:42:03 mnsvr postfix/smtpd[20610]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:42:03 mnsvr postfix/smtpd[20610]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 8 17:42:04 mnsvr postfix/smtpd[20212]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:42:05 mnsvr postfix/smtpd[20212]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 8 17:42:26 mnsvr postfix/smtpd[18461]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
    Apr 8 17:42:26 mnsvr postfix/smtpd[18461]: connect from unknown[92.118.38.82]
    Apr 8 17:42:37 mnsvr postfix/smtpd[18461]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:42:37 mnsvr postfix/smtpd[18461]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 8 17:42:47 mnsvr postfix/smtpd[20610]: connect from unknown[45.142.195.2]
    Apr 8 17:42:55 mnsvr postfix/smtpd[20610]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:42:55 mnsvr postfix/smtpd[20610]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 8 17:43:00 mnsvr postfix/smtpd[20212]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
    Apr 8 17:43:00 mnsvr postfix/smtpd[20212]: connect from unknown[92.118.38.82]
    Apr 8 17:43:11 mnsvr postfix/smtpd[20212]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 8 17:43:11 mnsvr postfix/smtpd[20212]: disconnect from unknown[92.118.38.82] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

    what can a do????
    is it a try to hack me ?
    how can i block it?
    tx in advance
     
  2. budgierless

    budgierless Member

    have you got failed2ban installed?
     
  3. willoriker

    willoriker Member

    yes, i followed perfect server guide. i check, it´s work ( systemctl status fail2ban.service give OK). can you tell me how to read ( understand) entries of mail.log?
    tx in advance
     
    Last edited: Apr 8, 2020
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The log files are really small, a huge log file would be gigabytes in size. So that's nothing to worry about.

    Nonetheless, you should check why fail2ban does not ban the failed login attempts. You should check the fauil2ban log to see if you have any bans in there for the mail / smtp system.
     
  5. willoriker

    willoriker Member

    ok till, but this is my first time with fail2ban.log

    2020-04-08 21:27:10,172 fail2ban.filter [931]: INFO [sshd] Found 114.67.95.121 - 2020-04-08 21:27:10
    2020-04-08 21:27:12,878 fail2ban.filter [931]: INFO [sshd] Found 114.67.95.121 - 2020-04-08 21:27:12
    2020-04-08 21:27:19,018 fail2ban.filter [931]: INFO [sshd] Found 157.230.230.152 - 2020-04-08 21:27:18
    2020-04-08 21:27:19,019 fail2ban.filter [931]: INFO [sshd] Found 157.230.230.152 - 2020-04-08 21:27:18
    2020-04-08 21:27:19,640 fail2ban.actions [931]: NOTICE [sshd] Ban 157.230.230.152
    2020-04-08 21:27:20,625 fail2ban.filter [931]: INFO [sshd] Found 157.230.230.152 - 2020-04-08 21:27:20
    2020-04-08 21:27:40,348 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:27:40
    2020-04-08 21:27:40,352 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:27:40
    2020-04-08 21:27:42,104 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:27:42
    2020-04-08 21:28:19,751 fail2ban.actions [931]: NOTICE [sshd] Unban 139.217.96.76
    2020-04-08 21:28:57,687 fail2ban.filter [931]: INFO [sshd] Found 103.16.202.174 - 2020-04-08 21:28:57
    2020-04-08 21:28:57,689 fail2ban.filter [931]: INFO [sshd] Found 103.16.202.174 - 2020-04-08 21:28:57
    2020-04-08 21:29:00,396 fail2ban.filter [931]: INFO [sshd] Found 103.16.202.174 - 2020-04-08 21:28:59
    2020-04-08 21:29:23,868 fail2ban.actions [931]: NOTICE [sshd] Unban 123.143.3.45
    2020-04-08 21:29:38,867 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:29:38
    2020-04-08 21:29:38,869 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:29:38
    2020-04-08 21:29:38,898 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:29:38
    2020-04-08 21:29:38,901 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:29:38
    2020-04-08 21:29:40,506 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:29:40
    2020-04-08 21:29:40,854 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:29:40
    2020-04-08 21:30:04,446 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:30:04
    2020-04-08 21:30:04,449 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:30:04
    2020-04-08 21:30:07,155 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:30:06
    2020-04-08 21:30:10,693 fail2ban.filter [931]: INFO [sshd] Found 106.13.49.213 - 2020-04-08 21:30:10
    2020-04-08 21:30:10,696 fail2ban.filter [931]: INFO [sshd] Found 106.13.49.213 - 2020-04-08 21:30:10
    2020-04-08 21:30:10,704 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:30:10
    2020-04-08 21:30:10,708 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:30:10
    2020-04-08 21:30:11,155 fail2ban.actions [931]: NOTICE [sshd] Ban 106.13.49.213
    2020-04-08 21:30:13,415 fail2ban.filter [931]: INFO [sshd] Found 106.13.49.213 - 2020-04-08 21:30:13
    2020-04-08 21:30:13,416 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:30:13
    2020-04-08 21:31:51,002 fail2ban.filter [931]: INFO [sshd] Found 106.54.40.11 - 2020-04-08 21:31:51
    2020-04-08 21:31:51,006 fail2ban.filter [931]: INFO [sshd] Found 106.54.40.11 - 2020-04-08 21:31:51
    2020-04-08 21:31:53,712 fail2ban.filter [931]: INFO [sshd] Found 106.54.40.11 - 2020-04-08 21:31:53
    2020-04-08 21:32:15,756 fail2ban.filter [931]: INFO [sshd] Found 104.236.226.93 - 2020-04-08 21:32:15
    2020-04-08 21:32:15,759 fail2ban.filter [931]: INFO [sshd] Found 104.236.226.93 - 2020-04-08 21:32:15
    2020-04-08 21:32:18,465 fail2ban.filter [931]: INFO [sshd] Found 104.236.226.93 - 2020-04-08 21:32:17
    2020-04-08 21:32:30,974 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:32:30
    2020-04-08 21:32:30,977 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:32:30
    2020-04-08 21:32:31,394 fail2ban.actions [931]: NOTICE [sshd] Ban 106.13.139.111
    2020-04-08 21:32:32,875 fail2ban.filter [931]: INFO [sshd] Found 106.13.139.111 - 2020-04-08 21:32:32
    2020-04-08 21:32:52,287 fail2ban.filter [931]: INFO [sshd] Found 118.25.107.82 - 2020-04-08 21:32:52
    2020-04-08 21:32:54,993 fail2ban.filter [931]: INFO [sshd] Found 118.25.107.82 - 2020-04-08 21:32:54
    2020-04-08 21:33:03,461 fail2ban.actions [931]: NOTICE [sshd] Unban 183.63.172.108
    2020-04-08 21:33:41,603 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:33:41
    2020-04-08 21:33:41,609 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:33:41
    2020-04-08 21:33:43,585 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:33:43
    2020-04-08 21:34:07,887 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:34:07
    2020-04-08 21:34:07,889 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:34:07
    2020-04-08 21:34:08,180 fail2ban.actions [931]: NOTICE [sshd] Ban 139.217.96.76
    2020-04-08 21:34:09,495 fail2ban.filter [931]: INFO [sshd] Found 139.217.96.76 - 2020-04-08 21:34:09
    2020-04-08 21:34:13,571 fail2ban.filter [931]: INFO [sshd] Found 114.67.95.121 - 2020-04-08 21:34:13
    2020-04-08 21:34:15,607 fail2ban.filter [931]: INFO [sshd] Found 114.67.95.121 - 2020-04-08 21:34:15
    2020-04-08 21:34:16,207 fail2ban.actions [931]: NOTICE [sshd] Ban 114.67.95.121
    2020-04-08 21:34:23,952 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:34:23
    2020-04-08 21:34:25,992 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:34:25
    2020-04-08 21:34:28,499 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:34:28
    2020-04-08 21:34:28,502 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:34:28
    2020-04-08 21:34:28,841 fail2ban.actions [931]: NOTICE [sshd] Ban 220.76.205.178
    2020-04-08 21:34:30,601 fail2ban.filter [931]: INFO [sshd] Found 220.76.205.178 - 2020-04-08 21:34:30
    2020-04-08 21:35:40,173 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:35:39
    2020-04-08 21:35:40,174 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:35:39
    2020-04-08 21:35:40,973 fail2ban.actions [931]: NOTICE [sshd] Ban 123.143.3.45
    2020-04-08 21:35:41,780 fail2ban.filter [931]: INFO [sshd] Found 123.143.3.45 - 2020-04-08 21:35:41
    2020-04-08 21:36:08,758 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:36:08
    2020-04-08 21:36:08,761 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:36:08
    2020-04-08 21:36:09,025 fail2ban.actions [931]: NOTICE [sshd] Ban 139.217.227.32
    2020-04-08 21:36:11,469 fail2ban.filter [931]: INFO [sshd] Found 139.217.227.32 - 2020-04-08 21:36:10
    2020-04-08 21:36:59,120 fail2ban.actions [931]: NOTICE [sshd] Unban 129.28.165.178
    2020-04-08 21:37:01,139 fail2ban.actions [931]: NOTICE [sshd] Unban 106.54.139.117
    2020-04-08 21:37:19,182 fail2ban.actions [931]: NOTICE [sshd] Unban 157.230.230.152
    2020-04-08 21:37:23,381 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:37:22
    2020-04-08 21:37:23,383 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:37:22
    2020-04-08 21:37:25,169 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:37:25
    2020-04-08 21:37:35,782 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:37:35
    2020-04-08 21:37:35,783 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:37:35
    2020-04-08 21:37:37,884 fail2ban.filter [931]: INFO [sshd] Found 183.63.172.108 - 2020-04-08 21:37:37
    2020-04-08 21:37:38,427 fail2ban.actions [931]: NOTICE [sshd] Ban 183.63.172.108
    2020-04-08 21:37:38,863 fail2ban.filter [931]: INFO [sshd] Found 129.28.165.178 - 2020-04-08 21:37:38
    2020-04-08 21:37:38,864 fail2ban.filter [931]: INFO [sshd] Found 129.28.165.178 - 2020-04-08 21:37:38
    2020-04-08 21:37:40,606 fail2ban.filter [931]: INFO [sshd] Found 129.28.165.178 - 2020-04-08 21:37:40
    2020-04-08 21:38:56,385 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:38:56
    2020-04-08 21:38:56,387 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:38:56
    2020-04-08 21:38:58,274 fail2ban.filter [931]: INFO [sshd] Found 193.112.102.52 - 2020-04-08 21:38:58
    2020-04-08 21:39:08,959 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:39:08
    2020-04-08 21:39:08,963 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:39:08
    2020-04-08 21:39:09,188 fail2ban.actions [931]: NOTICE [sshd] Ban 106.54.139.117
    2020-04-08 21:39:10,832 fail2ban.filter [931]: INFO [sshd] Found 106.54.139.117 - 2020-04-08 21:39:10
    2020-04-08 21:40:11,303 fail2ban.actions [931]: NOTICE [sshd] Unban 106.13.49.213

    whats is the mean of "unban" lines??
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    It means the ban time is up, so fail2ban removed the temporary ban. You can create more jails with other settings to block repeated offenders longer, and/or look into using the recidive jail.
     
    Last edited: Apr 9, 2020
  7. Steini86

    Steini86 Active Member

    In the standard settings the ban time is quite short. (If you have a lot of users and they have a problem with their client, you don't want to ban them too long). If you know your users and they have correctly set up their clients, then you could increase the ban time. For example, for SSH I block for a week after 2nd try (all users use keyfiles) and for mail 2 days. If a user has a problem I know they call me and I could unban them manually. But that depends on your setup / usage of the server.

    For global settings see: /etc/fail2ban/jail.conf
    Do your changes in: /etc/fail2ban/jail.local
    For example:
    Code:
    [postfix-sasl]
    enabled  = true
    port     = smtp,ssmtp,submission
    filter   = postfix-sasl
    logpath  = /var/log/mail.log
    maxretry = 4
    bantime = 48h
    You can also have a look at the ipset-blacklist project to block botnets, etc.. proactively in the firewall:
    https://github.com/trick77/ipset-blacklist
    Be aware that this can lead to false positives (blocking your users) if not carefully selecting the blocklists
     
  8. recin

    recin Member

    It seems you only have fail2ban to block ssh attacks.
    You can use fail2ban-client status to see active jails. Then you can see IPs blocked on this jail with fail2ban-client status jailname, ie. fail2ban-client status sshd
     
  9. willoriker

    willoriker Member

    thanks for your two concepts, your are true , and now I learn 2 new thing. i tried "fail2ban-client status" with postfix, dovecot and pure-fptd, but I only see ban info in sshd seccion

    Status for the jail: sshd
    |- Filter
    | |- Currently failed: 0
    | |- Total failed: 0
    | `- File list: /var/log/auth.log
    `- Actions
    |- Currently banned: 6
    |- Total banned: 7
    `- Banned IP list: 103.40.247.105 104.211.216.173 106.13.18.86 178.128.56.89 49.234.108.12 65.97.0.208​

    but in the other option

    Status for the jail: postfix ( similar en dovecot and pure fptd)
    |- Filter
    | |- Currently failed: 0
    | |- Total failed: 0
    | `- File list: /var/log/mail.log
    `- Actions
    |- Currently banned: 0
    |- Total banned: 0
    `- Banned IP list:​

    but i activate in /etc/fail2ban/jail.local

    with your setting ( copy and paste) [ i had POSTFIX seccion, not POSTFIX-SASL]
    but after reboot, same info in "fail2ban-client status" & if I check mail.log , i see same entries ( after reboot with new settings)
    Apr 9 14:36:52 mnsvr postfix/smtpd[1734]: connect from unknown[141.98.10.141]
    Apr 9 14:36:54 mnsvr postfix/smtpd[1734]: warning: unknown[141.98.10.141]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 9 14:36:54 mnsvr postfix/smtpd[1734]: disconnect from unknown[141.98.10.141] ehlo=1 auth=0/1 quit=1 commands=2/3
    Apr 9 14:36:54 mnsvr postfix/smtpd[1708]: warning: hostname ip-38-66.ZervDNS does not resolve to address 92.118.38.66: Name or service not known
    Apr 9 14:36:54 mnsvr postfix/smtpd[1708]: connect from unknown[92.118.38.66]
    Apr 9 14:37:01 mnsvr postfix/smtpd[2182]: warning: hostname ip-38-82.ZervDNS does not resolve to address 92.118.38.82: Name or service not known
    Apr 9 14:37:01 mnsvr postfix/smtpd[2182]: connect from unknown[92.118.38.82]
    Apr 9 14:37:01 mnsvr postfix/smtpd[1708]: warning: unknown[92.118.38.66]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 9 14:37:01 mnsvr postfix/smtpd[1708]: disconnect from unknown[92.118.38.66] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 9 14:37:03 mnsvr postfix/smtpd[1734]: connect from unknown[45.142.195.2]
    Apr 9 14:37:11 mnsvr postfix/smtpd[1734]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 9 14:37:11 mnsvr postfix/smtpd[1734]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 9 14:37:12 mnsvr postfix/smtpd[2182]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    why these data repaet so often? is it a user or a password? "UGFzc3dvcmQ6"
    tx in advance​
     
  10. nhybgtvfr

    nhybgtvfr Active Member

    they're not repeating all that often....

    Apr 9 14:37:03 mnsvr postfix/smtpd[1734]: connect from unknown[45.142.195.2]
    Apr 9 14:37:11 mnsvr postfix/smtpd[1734]: warning: unknown[45.142.195.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Apr 9 14:37:11 mnsvr postfix/smtpd[1734]: disconnect from unknown[45.142.195.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
    Apr 9 14:37:12 mnsvr postfix/smtpd[2182]: warning: unknown[92.118.38.82]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

    all of that is only the logging for one single login attempt from that ip.
    you're going to get very used to seeing that in the mail log file. there will be lots of them.

    each set of log entries like above will result in a line like
    2020-04-08 21:38:56,385 fail2ban.filter [931]: INFO [postfix-sasl] Found 45.142.192.2 - 2020-04-08 21:38:56

    in your /var/log/fail2ban.log file.

    notice they're timestamped, fail2ban will have a default findtime in jail.conf (or you can set a different time in each jail) eg 10 minutes.
    if the number of times the ip is found exceeds the maxretry setting, within the specifed findtime period, it will ban the ip for whatever time period is set in bantime.

    the ban is only logged in the fail2ban log, you won't see anything about it in the mail.log, you won't even see new entries like
    Apr 9 14:37:03 mnsvr postfix/smtpd[1734]: connect from unknown[45.142.195.2]
    for that banned ip being added to your mail.log file whilst the ban is in place.

    if your only seeing, eg one or two login attempts from a specific ip in any, say, 15 minute period, it's not going to get banned, well, not unless your being extremely draconian on allowing failed login attempts.
     
    Last edited: Apr 9, 2020
  11. willoriker

    willoriker Member

    tx soo much. the only question thar remain is "UGFzc3dvcmQ6"? what is this code?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Google it :)
     
  13. nhybgtvfr

    nhybgtvfr Active Member

    he might find a Password if he does that... :p
     
  14. willoriker

    willoriker Member

    tx I never imagine that this code was a standard code, i thought it was a ramdom password!!
     

Share This Page