Re: [Fail2ban-users] Don't know what kind of attack is this

Wed, 30 Sep 2015 10:31:45 -0700 

Thnaks. Added the maxlines and now looks good:
[root@szeta ~]# fail2ban-regex /var/log/maillog-20150928 /etc/fail2ban/filter.d/postfix-auth.conf 

Running tests
=============

Use   failregex filter file : postfix-auth, basedir: /etc/fail2ban
Use         maxlines : 10
Use         log file : /var/log/maillog-20150928
Use         encoding : UTF-8


Results
=======

Failregex: 311 total
|-  #) [# of hits] regular expression
| 1) *[260]* ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*lost connection after AUTH from (.*)\[<HOST>\] | 2) *[49]* ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*lost connection after EHLO from (.*)\[<HOST>\] | 3) *[2]* ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/(submission/)?smtp(d|s)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*lost connection after UNKNOWN from (.*)\[<HOST>\] 
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [10623] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? 
`-
Lines: 10623 lines, 0 ignored, *311 matched,* 10312 missed [processed in 1.44 sec] Missed line(s): too many to print. Use --print-all-missed to print all 10312 lines 




On 15-09-30 10:05 AM, Harrison Johnson wrote:

In the [Init] section of the filter file add a line:
    maxlines = 10
this sets up a buffer of 10 lines from the log file change the number as needed. Now your failregex will match to those lines. 
On Wed, 2015-09-30 at 09:14 -0700, Gao wrote:

After another look of the maillog, I see there are also at least another
attack like this, instead of AUTH, there are EHLO, RCPT, UNKNOWN,
STARTTLS and CONNECT, among these, EHLO is for sure anther attack. The
others does not have many attempts in a short period.

May be I should make it a wildcard in the filter. But I don't want block
the normal user by mistake.

Now, I set findtime=120 and maxretry=5. Also the filter now is like this:

failregex = ^%(__prefix_line)slost connection after AUTH from (.*)\[<HOST>\]
              ^%(__prefix_line)slost connection after EHLO from (.*)\[<HOST>\]
              ^%(__prefix_line)slost connection after UNKNOWN from 
(.*)\[<HOST>\]


Gao






On 15-09-30 04:42 AM, Nick Howitt wrote:
> I think it can be pretty bad behaviour if you get too many attempts too
> quickly. I've seen over 1000 in 24h from a single IP. I generally see
> nothing but every now and then someone has a go and it is a bit
> irritating.
>
> I also had one IP doing about 6 attempts an hour for days until I
> spotted it and blocked it. I was blocking 10 occurrences in an hour but
> dropped it to 5 an hour to combat the IP.
>
> On 2015-09-30 12:08, Darac Marjal wrote:
>> On Tue, Sep 29, 2015 at 02:30:47PM -0700, Gao wrote:
>>> Hello, all
>>>
>>> I have the postfix-sasl jail enabled and it works well against attack, 
>>> such as
>>> "Failed login".
>>>
>>> I just notified that my email server's maillog flood with this:
>>> ...
>>> Sep 29 14:19:21 szeta postfix/smtpd[19940]: connect from
>>> ns3366447.ip-37-187-77.eu[37.187.77.147]
>>> Sep 29 14:19:22 szeta postfix/smtpd[19940]: lost connection after AUTH 
>>> from
>>> ns3366447.ip-37-187-77.eu[37.187.77.147]
>>> Sep 29 14:19:22 szeta postfix/smtpd[19940]: disconnect from
>>> ns3366447.ip-37-187-77.eu[37.187.77.147]
>> "Lost connection after AUTH" means that postfix sent "AUTH" to the
>> client, and the client disconnected. In other words, the client
>> probably
>> attempted some action which you've configured that only authorized
>> users
>> can perform (usually, this is something like sending mail to a
>> different
>> serveer (relaying)). Postfix said "authorize yourself in order to
>> perform this action", and the client just dropped the connection
>> (rather
>> than cleanly quitting and waiting for postfix to close the conecction). 
>>
>> In other words, no authorization was attempted.
>>
>> I suspect that fail2ban doesn't block this normally because it's not
>> really bad behaviour. It's akin to someone connecting to your SSH port
>> and disconnecting upon finding that it's asking for a password :)
>>
>>> ...
>>>
>>> And the fail2ban does nothing about this! No new entry about this in
>>> fail2ban.log. The attack is still going and I am going to manual kill
>>> it in
>>> iptables.
>>>
>>> What should I do about this in fail2ban? Please help.
>>>
>>> Thanks.
>>>
>>> Gao
>>>
>>> ------------------------------------------------------------------------------ 
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> [email protected] <mailto:[email protected]> 
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>> ------------------------------------------------------------------------------ 
>>
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected] <mailto:[email protected]> 
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> ------------------------------------------------------------------------------ 
> _______________________________________________
> Fail2ban-users mailing list
> [email protected] <mailto:[email protected]> 
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected] <mailto:[email protected]> 
https://lists.sourceforge.net/lists/listinfo/fail2ban-users





------------------------------------------------------------------------------

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to