22
Apr

lost connection after AUTH log files

   Posted by: RobPatton   in Linux/Hosting

The Problem

In the past 30 days, I’ve seen over 140,000 entries from many unique ips, which looks like either DOS or password hacking bots, annoying, especially since all my passwords are at least 12 char, random.

 

Top 10 Values Count %
162.17.140.61 8,259 5.844%
212.237.47.114 4,583 3.243%
185.227.108.10 1,560 1.104%
192.154.213.123 1,434 1.015%
110.87.25.235 1,356 0.96%
120.35.102.81 1,356 0.96%
117.69.231.207 1,332 0.942%
183.164.244.109 1,327 0.939%
117.69.230.159 1,297 0.918%
117.69.230.216 1,288 0.911%

 

In /var/log/maillog

Apr 22 07:43:21 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:19 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:17 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:14 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:08 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:06 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:04:24 webhost postfix/smtpd[29802]: lost connection after HELO from unknown[119.86.182.130]
Apr 22 06:35:16 webhost postfix/smtpd[18488]: lost connection after UNKNOWN from unknown[93.174.93.46]

The Fix

Add to /etc/fail2ban/jail.local:

[postfix-auth]
enabled = true
filter = postfix.auth
action = iptables-multiport[name=postfix, port=”http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve”, protocol=tcp]
# sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/maillog
bantime = 21600
maxretry = 3

Create /etc/fail2ban/filter.d/postfix.auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[\]
ignoreregex =

Problem Solved!

This entry was posted on Sunday, April 22nd, 2018 at 7:46 am and is filed under Linux/Hosting. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a reply

You must be logged in to post a comment.