On Tue, Sep 29, 2015 at 02:30:47PM -0700, Gao wrote: > Hello, all > > I have the postfix-sasl jail enabled and it works well against attack, such as > "Failed login". > > I just notified that my email server's maillog flood with this: > ... > Sep 29 14:19:21 szeta postfix/smtpd[19940]: connect from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[19940]: lost connection after AUTH from > ns3366447.ip-37-187-77.eu[37.187.77.147] > Sep 29 14:19:22 szeta postfix/smtpd[19940]: disconnect from > ns3366447.ip-37-187-77.eu[37.187.77.147]
"Lost connection after AUTH" means that postfix sent "AUTH" to the client, and the client disconnected. In other words, the client probably attempted some action which you've configured that only authorized users can perform (usually, this is something like sending mail to a different serveer (relaying)). Postfix said "authorize yourself in order to perform this action", and the client just dropped the connection (rather than cleanly quitting and waiting for postfix to close the conecction). In other words, no authorization was attempted. I suspect that fail2ban doesn't block this normally because it's not really bad behaviour. It's akin to someone connecting to your SSH port and disconnecting upon finding that it's asking for a password :) > ... > > And the fail2ban does nothing about this! No new entry about this in > fail2ban.log. The attack is still going and I am going to manual kill it in > iptables. > > What should I do about this in fail2ban? Please help. > > Thanks. > > Gao > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- For more information, please reread.
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
