Seeing these things in my log postfix log file:
Feb 21 10:43:47 d postfix/smtps/smtpd[18263]: warning: hostname ip-113-92.4vendeta.com does not resolve to address 78.128.113.92
Feb 21 10:43:47 x postfix/smtps/smtpd[18263]: connect from unknown[78.128.113.92]
Feb 21 10:43:47 x postfix/smtps/smtpd[18263]: lost connection after UNKNOWN from unknown[78.128.113.92]
Feb 21 10:43:47 x postfix/smtps/smtpd[18263]: disconnect from unknown[78.128.113.92]
Instances where something is connecting but not failing auth and instead hanging up, but over and over again, wasting system resources.
Does anybody have a jail to monitor and block this stuff? Or is it ill-advised? Can this catch false positives?
https://github.com/GaryGapinski/fail2ban-extras/blob/master/filter.d/postfix-extra.conf
may be of interest. It has been developed after much observation
of SMTP exploit attempts (thus will remain a work in progress).
See also the related Postfix configuration (https://github.com/GaryGapinski/fail2ban-extras/blob/master/filter.d/postfix-extra.conf).
Those filter regexes will not catch the specific "…hostname…does not resolve to address…" since that (FCrDNS fail) can be handled in other ways, but one could trigger on that. I am unsure what proportion of legitimate email providers lack FCrDNS.
I had not previously noticed "lost connection after UNKNOWN…"
but will add that as well as the companion regex for the
disconnect.
Feb 11 12:17:39 mail postfix/smtpd[23758]: connect from
unknown[240e:f7:4f01:c::3]
Feb 11 12:17:42 mail postfix/smtpd[23758]: lost connection after
UNKNOWN from unknown[240e:f7:4f01:c::3]
Feb 11 12:17:42 mail postfix/smtpd[23758]: disconnect from
unknown[240e:f7:4f01:c::3] ehlo=1 unknown=0/1 commands=1/2
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
