I think it can be pretty bad behaviour if you get too many attempts too quickly. I've seen over 1000 in 24h from a single IP. I generally see nothing but every now and then someone has a go and it is a bit irritating.
I also had one IP doing about 6 attempts an hour for days until I spotted it and blocked it. I was blocking 10 occurrences in an hour but dropped it to 5 an hour to combat the IP. On 2015-09-30 12:08, Darac Marjal wrote: > On Tue, Sep 29, 2015 at 02:30:47PM -0700, Gao wrote: >> Hello, all >> >> I have the postfix-sasl jail enabled and it works well against attack, >> such as >> "Failed login". >> >> I just notified that my email server's maillog flood with this: >> ... >> Sep 29 14:19:21 szeta postfix/smtpd[19940]: connect from >> ns3366447.ip-37-187-77.eu[37.187.77.147] >> Sep 29 14:19:22 szeta postfix/smtpd[19940]: lost connection after AUTH >> from >> ns3366447.ip-37-187-77.eu[37.187.77.147] >> Sep 29 14:19:22 szeta postfix/smtpd[19940]: disconnect from >> ns3366447.ip-37-187-77.eu[37.187.77.147] > > "Lost connection after AUTH" means that postfix sent "AUTH" to the > client, and the client disconnected. In other words, the client > probably > attempted some action which you've configured that only authorized > users > can perform (usually, this is something like sending mail to a > different > serveer (relaying)). Postfix said "authorize yourself in order to > perform this action", and the client just dropped the connection > (rather > than cleanly quitting and waiting for postfix to close the conecction). > > In other words, no authorization was attempted. > > I suspect that fail2ban doesn't block this normally because it's not > really bad behaviour. It's akin to someone connecting to your SSH port > and disconnecting upon finding that it's asking for a password :) > >> ... >> >> And the fail2ban does nothing about this! No new entry about this in >> fail2ban.log. The attack is still going and I am going to manual kill >> it in >> iptables. >> >> What should I do about this in fail2ban? Please help. >> >> Thanks. >> >> Gao >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
