On Thu, 20 Oct 2016 17:13:26 -0400 "Bill Cole" <postfixlists-070...@billmail.scconsult.com> wrote:
> On 20 Oct 2016, at 16:39, Keith Williams wrote: > > > No wait... What? > > > > This is no attack. Attack is when you try to break or enforce.. > > This is a probe, and from the probe we can deduce from the reported > > disconnect that 1. helo was tried, 2. no auth was attempted and 3, > > quit was used. > > > > So a test for helo and quit? and no auth. > > No. The "auth=0/1" in the disconnect line means that Postfix received > 1 authentication attempt but it failed. This was a "probe" to see if > a particular user exists and has a particular password. > > > Someone is testing your IP and mail capibility.. perhaps>> > > Not stipulating that unauthorized "probes" are not also block-worthy, > but this is a bit more. > > > On 20/10/2016 22:20, Bill Cole wrote: > >> On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: > >> > >>> Its clear from the log, the attacker isn't even attemping to > >>> authenticate (0 attempts). The attacker hasn't propably not even > >>> realized he is connecting to a mail server. > >> > >> > >> No. There's a jumble there, but at least one is a lame "attack" of > >> a sort. The only *Postfix* messages were: > >> > >>> Oct 19 07:55:27 mail postfix/smtpd[9929]: connect from > >>> unknown[216.15.186.126] > >>> Oct 19 07:55:28 mail postfix/smtpd[9929]: disconnect from > >>> unknown[216.15.186.126] helo=1 auth=0/1 quit=1 commands=2/3 > >> > >> *THAT* client tried to authenticate and failed. It's a CBL-listed > >> IP on a chronically abuse-friendly network. > >> > >> The rest were all messages from Dovecot components, about failed > >> SSL connections from a mix of IPs. Impossible to know what the > >> reasons for those were without tracking down the person running > >> the computer. > > Follow up. Different IP, same deal, but I added some error slowing settings. #lines added after hacker attack smtpd_soft_error_limit = 3 smtpd_error_sleep_time = 10s smtpd_hard_error_limit = 6 smtpd_client_auth_rate_limit = 20 smtpd_client_connection_count_limit = 5 smtpd_client_connection_rate_limit = 20 smtpd_client_new_tls_session_rate_limit = 20 smtpd_client_recipient_rate_limit = 10 smtpd_recipient_limit = 10 <snip> maillog.4.bz2:Nov 19 12:40:43 theranch postfix/submission/smtpd[22648]: disconnect from unknown[172.56.38.118] ehlo=2 starttls=1 auth=1 quit=1 commands=5 maillog.4.bz2:Nov 19 12:40:43 theranch postfix/submission/smtpd[22655]: disconnect from unknown[172.56.38.118] ehlo=2 starttls=1 auth=1 quit=1 commands=5 maillog.4.bz2:Nov 19 12:40:43 theranch postfix/submission/smtpd[22653]: disconnect from unknown[172.56.38.118] ehlo=2 starttls=1 auth=1 quit=1 commands=5 maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max connection rate 9/60s for (submission:172.56.38.118) at Nov 19 12:40:23 maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max connection count 6 for (submission:172.56.38.118) at Nov 19 12:40:20 maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max newtls rate 5/60s for (submission:172.56.38.118) at Nov 19 12:40:20 maillog.4.bz2:Nov 19 12:44:59 theranch postfix/anvil[22634]: statistics: max auth rate 5/60s for (submission:172.56.38.118) at Nov 19 12:40:43