Re: [Fail2ban-users] tracking smtp dropped connections

Fri, 21 Feb 2020 14:53:22 -0800 


On 21/02/2020 20:23, Gary Gapinski via Fail2ban-users wrote:

On 2/21/20 1:21 PM, Gary Gapinski via Fail2ban-users wrote:

I had not previously noticed "lost connection after _UNKNOWN_…" but 
will add that as well as the companion regex for the disconnect.
Feb 11 12:17:39 mail postfix/smtpd[23758]: connect from 
unknown[240e:f7:4f01:c::3]
Feb 11 12:17:42 mail postfix/smtpd[23758]: lost connection after 
UNKNOWN from unknown[240e:f7:4f01:c::3]
Feb 11 12:17:42 mail postfix/smtpd[23758]: disconnect from 
unknown[240e:f7:4f01:c::3] ehlo=1 unknown=0/1 commands=1/2


I checked the packet capture for that encounter:

220 example.com ESMTP Postfix

EHLO []

250-example.com

250-PIPELINING

250-SIZE 10240000

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250-DSN

250-SMTPUTF8

250 CHUNKING

HELP (← after 2.31s delay which prompted two server TCP retransmissions)

502 5.5.2 Error: command not recognized


HELP is not implemented; the antecedent bogus EHLO would have 
triggered a ban had a delivery been attempted (because of 
smtpd_delay_reject = yes). However, there was no delivery attempt so 
the session never arrived at "Helo command rejected: need 
fully-qualified hostname" as the client closed the session (without a 
QUIT) immediately after receiving the 502.



The origin address had previously (repeatedly, for a variety of 
transgressions dating back to August 2019) been banned one week 
earlier and unbanned within the hour prior to the 2020-02-11 SMTP 
session. Just prior to the session it did a port 25 TCP connect and 
then an immediate reset (RST), a commonly observed but curious 
practice. Such SYN, SYN-ACK, RST sequences do not produce any log records.



IMO: anything evoking an unknown SMTP command response is ban bait. 
That would include VRFY which is routinely disabled.




I use a filter:

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/smtpd


failregex = ^%(__prefix_line)slost connection after 
(AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[<HOST>\]$

        ^%(__prefix_line)sdisconnect from unknown\[<HOST>\]$


Every so often I get a big attack of these, but at the same time, there 
are risks from this tupe of filter.


Regards,

Nick


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to