Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Thousands of login attempts
434 views
Skip to first unread message
@lbutlr
Mar 20, 2016, 2:12:23 PM3/20/16
to
I have many thousands of these over the last seven days:
Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
They are all the exact same, including the UGF… portion.
Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
I mean, nothing is getting in, but there are thousands of these, 2000 yesterday, and today there are over 3400 so far, and it’s barely even noon. The first day there were 700, and it’s just ramped up since then.
/etc/hosts.allow:
ALL : 185.103.253.246 : DENY
Has no effect.
--
'You make us want what we can't have and what you give us is worth
nothing and what you take is everything and all there is left for us is
the cold hillside, and emptiness, and the laughter of the elves.'
Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
They are all the exact same, including the UGF… portion.
Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
I mean, nothing is getting in, but there are thousands of these, 2000 yesterday, and today there are over 3400 so far, and it’s barely even noon. The first day there were 700, and it’s just ramped up since then.
/etc/hosts.allow:
ALL : 185.103.253.246 : DENY
Has no effect.
--
'You make us want what we can't have and what you give us is worth
nothing and what you take is everything and all there is left for us is
the cold hillside, and emptiness, and the laughter of the elves.'
/dev/rob0
Mar 20, 2016, 2:23:20 PM3/20/16
to
On Sun, Mar 20, 2016 at 12:11:57PM -0600, @lbutlr wrote:
> I have many thousands of these over the last seven days:
>
> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning:
> unknown[185.103.253.246]: SASL LOGIN authentication failed:
> UGFzc3dvcmQ6
>
> They are all the exact same, including the UGF… portion.
>
> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
One minor comment: I would not even offer AUTH on port 25.
> I have many thousands of these over the last seven days:
>
> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning:
> unknown[185.103.253.246]: SASL LOGIN authentication failed:
> UGFzc3dvcmQ6
>
> They are all the exact same, including the UGF… portion.
>
> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
> I mean, nothing is getting in, but there are thousands of these,
> 2000 yesterday, and today there are over 3400 so far, and it’s
> barely even noon. The first day there were 700, and it’s just
> ramped up since then.
>
> /etc/hosts.allow:
> ALL : 185.103.253.246 : DENY
>
> Has no effect.
postscreen_access_list ( postconf.5.html#postscreen_access_list ).
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Wolfe, Robert
Mar 20, 2016, 2:27:12 PM3/20/16
to
Um, perhaps you should utilize some sort of DNS blacklist, which is what my setup here does.
If not, then you might want to try relocating what you put into your /etc/hosts.allow file to your /etc/hosts.deny file.
I would also recommend utilizing fail2ban -- http://theether.net/kb/100141
On Sunday, March 20, 2016 13:11 CDT, "@lbutlr" <kre...@kreme.com> wrote:
> I have many thousands of these over the last seven days:
>
> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>
> They are all the exact same, including the UGF… portion.
>
> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
>
If not, then you might want to try relocating what you put into your /etc/hosts.allow file to your /etc/hosts.deny file.
I would also recommend utilizing fail2ban -- http://theether.net/kb/100141
On Sunday, March 20, 2016 13:11 CDT, "@lbutlr" <kre...@kreme.com> wrote:
> I have many thousands of these over the last seven days:
>
> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>
> They are all the exact same, including the UGF… portion.
>
> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
>
> I mean, nothing is getting in, but there are thousands of these, 2000 yesterday, and today there are over 3400 so far, and it’s barely even noon. The first day there were 700, and it’s just ramped up since then.
>
> /etc/hosts.allow:
> ALL : 185.103.253.246 : DENY
>
> Has no effect.
>
>
> /etc/hosts.allow:
> ALL : 185.103.253.246 : DENY
>
> Has no effect.
>
@lbutlr
Mar 20, 2016, 2:48:40 PM3/20/16
to
On Sun Mar 20 2016 12:23:00 /dev/rob0 <ro...@gmx.co.uk> said:
>> I mean, nothing is getting in, but there are thousands of these,
>> 2000 yesterday, and today there are over 3400 so far, and it’s
>> barely even noon. The first day there were 700, and it’s just
>> ramped up since then.
>>
>> /etc/hosts.allow:
>> ALL : 185.103.253.246 : DENY
>>
>> Has no effect.
>
postscreen_access_cidr
185.103.253.246 reject
$ postmap -q 185.103.253.246 cidr:/usr/local/etc/postfix/postscreen_access.cidr
reject
But they still keep coming.
$ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1
Sun Mar 20 12:43:33 MDT 2016
Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
--
Don't ride in anything with a Capissen-38 engine, they fall right out of
the sky
>
> On Sun, Mar 20, 2016 at 12:11:57PM -0600, @lbutlr wrote:
>> I have many thousands of these over the last seven days:
>>
>> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning:
>> unknown[185.103.253.246]: SASL LOGIN authentication failed:
>> UGFzc3dvcmQ6
>>
>> They are all the exact same, including the UGF… portion.
>>
>> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
>> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
>> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
>> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
>> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
>
> On Sun, Mar 20, 2016 at 12:11:57PM -0600, @lbutlr wrote:
>> I have many thousands of these over the last seven days:
>>
>> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning:
>> unknown[185.103.253.246]: SASL LOGIN authentication failed:
>> UGFzc3dvcmQ6
>>
>> They are all the exact same, including the UGF… portion.
>>
>> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
>> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
>> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
>> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
>> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
>
> One minor comment: I would not even offer AUTH on port 25.
I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail submission have to be on port 587.
>> I mean, nothing is getting in, but there are thousands of these,
>> 2000 yesterday, and today there are over 3400 so far, and it’s
>> barely even noon. The first day there were 700, and it’s just
>> ramped up since then.
>>
>> /etc/hosts.allow:
>> ALL : 185.103.253.246 : DENY
>>
>> Has no effect.
>
> I'd suggest either blocking it in the firewall or adding to
> postscreen_access_list ( postconf.5.html#postscreen_access_list ).
Oh, yes, I completely forgot about that.
> postscreen_access_list ( postconf.5.html#postscreen_access_list ).
postscreen_access_cidr
185.103.253.246 reject
$ postmap -q 185.103.253.246 cidr:/usr/local/etc/postfix/postscreen_access.cidr
reject
But they still keep coming.
$ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1
Sun Mar 20 12:43:33 MDT 2016
Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
--
Don't ride in anything with a Capissen-38 engine, they fall right out of
the sky
@lbutlr
Mar 20, 2016, 2:53:01 PM3/20/16
to
On Sun Mar 20 2016 12:47:32 @lbutlr <@lbutlr> said:
>
> postscreen_access_cidr
> 185.103.253.246 reject
>
> $ postmap -q 185.103.253.246 cidr:/usr/local/etc/postfix/postscreen_access.cidr
> reject
>
> But they still keep coming.
>
> $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1
> Sun Mar 20 12:43:33 MDT 2016
> Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oh, also
>
> postscreen_access_cidr
> 185.103.253.246 reject
>
> $ postmap -q 185.103.253.246 cidr:/usr/local/etc/postfix/postscreen_access.cidr
> reject
>
> But they still keep coming.
>
> $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1
> Sun Mar 20 12:43:33 MDT 2016
> Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
$ postconf -n config_directory
$ postconf -d config_directory
config_directory = /usr/local/etc/postfix
--
"I don't think the kind of friends I'd have would care."
@lbutlr
Mar 20, 2016, 2:59:27 PM3/20/16
to
On Sun Mar 20 2016 12:47:32 @lbutlr <@lbutlr> said:
>
> But they still keep coming.
>
> $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1
> Sun Mar 20 12:43:33 MDT 2016
> Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 12:55:37 mail postfix/postscreen[29826]: CONNECT from [185.103.253.246]:50804 to [65.121.55.45]:25
>
> But they still keep coming.
>
> $ date && grep UGFzc3dvcmQ6 /var/log/maillog | tail -1
> Sun Mar 20 12:43:33 MDT 2016
> Mar 20 12:43:31 mail postfix/smtpd[28552]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 12:55:37 mail postfix/postscreen[29826]: BLACKLISTED [185.103.253.246]:50804
Mar 20 12:55:37 mail postfix/postscreen[29826]: PASS OLD [185.103.253.246]:50804
Mar 20 12:55:37 mail postfix/smtpd[29832]: connect from unknown[185.103.253.246]
Mar 20 12:55:47 mail postfix/smtpd[29832]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 12:55:47 mail postfix/smtpd[29832]: lost connection after AUTH from unknown[185.103.253.246]
Mar 20 12:55:47 mail postfix/smtpd[29832]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
So, they show blacklist on postscreen, but still hit smtpd with he same message filling the logs. Sigh
--
You only had to look into Teatime's mismatched eyes to know one thing,
which was this: if Teatime wanted to find you he would not look
everywhere. He'd look in only one place, which would be the place where
you were hiding. --Hogfather
@lbutlr
Mar 20, 2016, 3:10:37 PM3/20/16
to
On Sun Mar 20 2016 12:59:08 @lbutlr <kre...@kreme.com> said:
>
> Mar 20 12:55:37 mail postfix/postscreen[29826]: BLACKLISTED [185.103.253.246]:50804
Stopped postfix and removed the post screen_cache file and restarted postfix.
>
> Mar 20 12:55:37 mail postfix/postscreen[29826]: BLACKLISTED [185.103.253.246]:50804
Mar 20 13:03:59 mail postfix/postscreen[30633]: BLACKLISTED [185.103.253.246]:51950
Mar 20 13:03:59 mail postfix/dnsblog[30638]: addr 185.103.253.246 listed by domain dnsbl-2.uceprotect.net as 127.0.0.2
Mar 20 13:04:03 mail postfix/postscreen[30633]: PASS NEW [185.103.253.246]:51950
Mar 20 13:04:03 mail postfix/smtpd[30660]: connect from unknown[185.103.253.246]
And then
Mar 20 13:04:35 mail postfix/smtpd[30660]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 13:04:35 mail postfix/smtpd[30660]: lost connection after AUTH from unknown[185.103.253.246]
Mar 20 13:04:35 mail postfix/smtpd[30660]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
Mar 20 13:04:38 mail postfix/postscreen[30633]: CONNECT from [185.103.253.246]:55822 to [65.121.55.42]:25
Mar 20 13:04:38 mail postfix/postscreen[30633]: BLACKLISTED [185.103.253.246]:55822
Mar 20 13:04:38 mail postfix/postscreen[30633]: PASS OLD [185.103.253.246]:55822
Mar 20 13:04:48 mail postfix/smtpd[30702]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 20 13:04:48 mail postfix/smtpd[30702]: lost connection after AUTH from unknown[185.103.253.246]
Mar 20 13:04:48 mail postfix/smtpd[30702]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=½
So, no matter what I try to do, the IP comes back and is added to post screen_cache and is handed off to smtpd. All I seem to have accomplished is adding one more log line to the process that is currently hitting every 13-35 seconds.
$ postconf -d mail_version
mail_version = 3.0.3
--
Try to realize it's all within yourself/No one else can make you change
Wilfrie...@essignetz.de
Mar 20, 2016, 3:21:34 PM3/20/16
to
Did you try postscreen_blacklist_action
(http://www.postfix.org/postconf.5.html#postscreen_blacklist_action)
Default is "ignore"
Willi
(http://www.postfix.org/postconf.5.html#postscreen_blacklist_action)
Default is "ignore"
Willi
Wietse Venema
Mar 20, 2016, 3:47:19 PM3/20/16
to
@lbutlr:
> I mean, nothing is getting in, but there are thousands of these, 2000 =
Then why do you care? They are using 1% of your CPU?
Wietse
> I mean, nothing is getting in, but there are thousands of these, 2000 =
Then why do you care? They are using 1% of your CPU?
Wietse
/dev/rob0
Mar 20, 2016, 3:49:24 PM3/20/16
to
On Sun, Mar 20, 2016 at 08:21:16PM +0100, Wilfrie...@essignetz.de wrote:
> Did you try postscreen_blacklist_action
> (http://www.postfix.org/postconf.5.html#postscreen_blacklist_action)
>
> Default is "ignore"
Yes, and probably what the OP wants to set is "drop". If set as
> Did you try postscreen_blacklist_action
> (http://www.postfix.org/postconf.5.html#postscreen_blacklist_action)
>
> Default is "ignore"
"enforce" you'll get the full dialog with postscreen and multiple
lines logged. With "drop" it will be dropped in lieu of giving a
banner.
@lbutlr
Mar 20, 2016, 4:09:12 PM3/20/16
to
--
This is my signature. There are many like it, but this one is mine.
Chalmers
Mar 20, 2016, 4:11:37 PM3/20/16
to
Put the ip in your firewall blacklist is what I did, then you dont even see them as they are blocked at the gate. I extracted all such addreses from my logs, sorted them unique, added them to the firewall blacklist.
gone.
I know there will always be others, but revenge is sweet .....
-----
From my iPhone.
> On 20 Mar 2016, at 6:11 pm, @lbutlr <kre...@kreme.com> wrote:
>
> I have many thousands of these over the last seven days:
>
> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>
> They are all the exact same, including the UGF… portion.
>
> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
gone.
I know there will always be others, but revenge is sweet .....
-----
From my iPhone.
> On 20 Mar 2016, at 6:11 pm, @lbutlr <kre...@kreme.com> wrote:
>
> I have many thousands of these over the last seven days:
>
> Mar 20 10:45:27 mail postfix/smtpd[19480]: warning: unknown[185.103.253.246]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
>
> They are all the exact same, including the UGF… portion.
>
> Mar 20 10:48:34 mail postfix/postscreen[75523]: CONNECT from [185.103.253.246]:61153 to [65.121.55.45]:25
> Mar 20 10:48:34 mail postfix/postscreen[75523]: PASS OLD [185.103.253.246]:61153
> Mar 20 10:48:34 mail postfix/smtpd[19790]: connect from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: lost connection after AUTH from unknown[185.103.253.246]
> Mar 20 10:48:36 mail postfix/smtpd[19683]: disconnect from unknown[185.103.253.246] ehlo=1 auth=0/1 commands=1/2
>
> I mean, nothing is getting in, but there are thousands of these, 2000 yesterday, and today there are over 3400 so far, and it’s barely even noon. The first day there were 700, and it’s just ramped up since then.
>
> /etc/hosts.allow:
> ALL : 185.103.253.246 : DENY
>
> Has no effect.
>
> I mean, nothing is getting in, but there are thousands of these, 2000 yesterday, and today there are over 3400 so far, and it’s barely even noon. The first day there were 700, and it’s just ramped up since then.
>
> /etc/hosts.allow:
> ALL : 185.103.253.246 : DENY
>
> Has no effect.
>
Dimitar Katerinski
Mar 20, 2016, 5:46:39 PM3/20/16
to
@lbutlr wrote:
> /etc/hosts.allow:
> ALL : 185.103.253.246 : DENY
>
> Has no effect.
>
level. If you are running Postfix under Linux
the following iptables command should block this IP to accessing your
smtp service on port 25:
iptables - I INPUT -s 185.103.253.246 -p tcp --dport 25 -j DROP
As someone already suggested - have a look at fail2ban.
Cheers,
Dimitar
Christian Kivalo
Mar 20, 2016, 6:02:41 PM3/20/16
to
>> One minor comment: I would not even offer AUTH on port 25.
>
>I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>submission have to be on port 587.
You do.
>
>I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>submission have to be on port 587.
valo@uschi:~ $ telnet mail.covisp.net 25
Trying 65.121.55.42...
Connected to mail.covisp.net.
Escape character is '^]'.
220-mail.covisp.net ESTMP -- Please wait
220 mail.covisp.net ESMTP Postfix 3.0.3
ehlo test.local.host
250-mail.covisp.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
See the two lines offering auth on port 25. You should disable auth on port 25.
--
Christian
Curtis Villamizar
Mar 20, 2016, 7:30:11 PM3/20/16
to
In message <0F3F9E7A-F0DA-400A...@valo.at>
As in "smtpd_sasl_auth_enable = no".
> --
> Christian
Plain and login AUTH are particularly dangerous since they send
passwords in the clear. See if you can find another method:
http://cyrusimap.web.cmu.edu/sasl/authentication_mechanisms.html
http://wiki.dovecot.org/Authentication/Mechanisms
With AUTH PLAIN LOGIN and no TLS, anyone logging in over public WiFi
(or non-switched ethernet, where such a thing still exists) is
exposing their user ID and password to others snooping on the WiFi.
That could be really bad for people who use the same password for
everything (terrible practice but all too common).
btw- Even with TLS, unless client certs are used anyone can connect
and try brute force password guessing, which is what appears to be
happenning. When presented with STARTTLS and no AUTH most attacks
just go away and don't keep retrying.
I suggest that if it won't break clients (if they can use TLS) use
"smtpd_tls_security_level = yes" on port 587 (which implies
"smtpd_tls_auth_only = yes"). Use "smtpd_sasl_auth_enable = no" on
port 25 even if it means clients have to change configs. Plus set
smtp_sasl_mechanism_filter to something more reasonable if it doesn't
break clients to do so (and/or change mech_list in cyrus sasl conf).
For example "smtpd_sasl_security_options = noanonymous, noplaintext".
Client certs would be nice but a large number of client certs can be a
headache to keep track of and hard to get into user's client MUAs.
Filters limiting access to port 587 can then be applied a lot more
strickly than filters on port 25 could be.
Curtis
> --
> Christian
Plain and login AUTH are particularly dangerous since they send
passwords in the clear. See if you can find another method:
http://cyrusimap.web.cmu.edu/sasl/authentication_mechanisms.html
http://wiki.dovecot.org/Authentication/Mechanisms
With AUTH PLAIN LOGIN and no TLS, anyone logging in over public WiFi
(or non-switched ethernet, where such a thing still exists) is
exposing their user ID and password to others snooping on the WiFi.
That could be really bad for people who use the same password for
everything (terrible practice but all too common).
btw- Even with TLS, unless client certs are used anyone can connect
and try brute force password guessing, which is what appears to be
happenning. When presented with STARTTLS and no AUTH most attacks
just go away and don't keep retrying.
I suggest that if it won't break clients (if they can use TLS) use
"smtpd_tls_security_level = yes" on port 587 (which implies
"smtpd_tls_auth_only = yes"). Use "smtpd_sasl_auth_enable = no" on
port 25 even if it means clients have to change configs. Plus set
smtp_sasl_mechanism_filter to something more reasonable if it doesn't
break clients to do so (and/or change mech_list in cyrus sasl conf).
For example "smtpd_sasl_security_options = noanonymous, noplaintext".
Client certs would be nice but a large number of client certs can be a
headache to keep track of and hard to get into user's client MUAs.
Filters limiting access to port 587 can then be applied a lot more
strickly than filters on port 25 could be.
Curtis
@lbutlr
Mar 20, 2016, 7:59:52 PM3/20/16
to
On Sun Mar 20 2016 16:01:44 Christian Kivalo <ml+postf...@valo.at> said:
>
>>> One minor comment: I would not even offer AUTH on port 25.
>>
>> I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>> submission have to be on port 587.
>
> You do.
Oh, that is right, I forgot I had to enable that temporarily for someone. I think temporarily has passed.
>
>>> One minor comment: I would not even offer AUTH on port 25.
>>
>> I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>> submission have to be on port 587.
>
> You do.
Port 25 shouldn’t even allow STARTTLS, IIRC.
--
ARE YOU FAMILIAR WITH THE WORDS 'DEATH WAS HIS CONSTANT COMPANION'? 'But
I don't usually see you!'
@lbutlr
Mar 20, 2016, 8:00:50 PM3/20/16
to
On Sun Mar 20 2016 16:00:10 Sebastian Nielsen <seba...@sebbe.eu> said:
>
> I would instead suggest the opposite way around, use whitelisting instead.
That doesn’t work. One of my most important customers travels all over the world and may be connecting from quite literally anywhere but North Korea.
Setting the default action to drop, on the other hand, has worked. Nothing in the logs since 14:20.
--
Indecision is the key to flexibility.
>
> I would instead suggest the opposite way around, use whitelisting instead.
That doesn’t work. One of my most important customers travels all over the world and may be connecting from quite literally anywhere but North Korea.
Setting the default action to drop, on the other hand, has worked. Nothing in the logs since 14:20.
--
Indecision is the key to flexibility.
Christian Kivalo
Mar 21, 2016, 2:44:24 AM3/21/16
to
Am 21. März 2016 00:59:36 MEZ, schrieb "@lbutlr" <kre...@kreme.com>:
>On Sun Mar 20 2016 16:01:44 Christian Kivalo <ml+postf...@valo.at>
>said:
>>
>>>> One minor comment: I would not even offer AUTH on port 25.
>>>
>>> I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>>> submission have to be on port 587.
>>
>> You do.
>
>Oh, that is right, I forgot I had to enable that temporarily for
>someone. I think temporarily has passed.
>
>Port 25 shouldn’t even allow STARTTLS, IIRC.
-- Christian
Brett
Mar 21, 2016, 7:15:34 AM3/21/16
to
On 2016-03-20 16:46, Dimitar Katerinski wrote:
> @lbutlr wrote:
>> /etc/hosts.allow:
>> ALL : 185.103.253.246 : DENY
>>
>> Has no effect.
hosts.allow and hosts.deny only work for programs that have been
> @lbutlr wrote:
>> /etc/hosts.allow:
>> ALL : 185.103.253.246 : DENY
>>
>> Has no effect.
compiled with TCP wrapper support. Typically this is limited to telnet,
ftp and inetd super daemon type services.
>>
> I would suggest using your firewall utility to block this on tcp/ip
> level. If you are running Postfix under Linux
> the following iptables command should block this IP to accessing your
> smtp service on port 25:
> iptables - I INPUT -s 185.103.253.246 -p tcp --dport 25 -j DROP
>
> As someone already suggested - have a look at fail2ban.
configured, fail2ban can monitor the postfix / dovecot logs and
automatically block offending IP addresses in the firewall rules after a
preset number of failed login attempts. At first, I block the offending
IP address after 3 failed attempts in a 1 hour period. I then
permanently block any IP address that gets blocked 3 times in a 48 hour
period. I use this on several mail systems I support and it has greatly
reduced the number of failed login attempts. The only downside is at
first, my user base sometimes locked themselves out. I have white listed
the main IP addresses my clients use. After about 6 months, the users
have become better about logging in, and I haven't had a lock out
complaint since.
>
> Cheers,
> Dimitar
---
Brett
Bill Cole
Mar 22, 2016, 8:35:47 PM3/22/16
to
On 20 Mar 2016, at 14:11, @lbutlr wrote:
> /etc/hosts.allow:
> ALL : 185.103.253.246 : DENY
>
> Has no effect.
For /etc/hosts.{allow,deny} files to have any effect on network access
> /etc/hosts.allow:
> ALL : 185.103.253.246 : DENY
>
> Has no effect.
to a program, the program must support the TCP Wrappers facility by
linking to libwrap OR be wrapped by the tcpd access control facility.
Postfix explicitly offers no such support (see the "COMPATIBILITY" file
in the top level of the source distribution.)
0 new messages