On Thu, Sep 09, 2021 at 03:21:02PM -0400, J Doe wrote:
> >> SepĀ 6 09:17:42 localhost postfix/smtpd[14622]: disconnect from
> >> unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 commands=3/4
> >
> > That's AUTH probing. A bot on 77.247.110.240 has a big list of usernames
> > and password and is testing them one at a time.
> >
> > As has been suggested, looking for 'auth=0/' in the log is a useful
> > pattern for fail2ban or other log-scanning tools.
> >
> In this case, is the botnet actually trying credentials?
Yes. That's what "auth=0/1" indicates.
> It looks to me that it is establishing a TLS connection and then
> dropping it (or am I mistaken ?).
You're mistaken. Reducing the verbosity of TLS logging could help you
to see the forest for the trees.
> If it is just establishing TLS and is not actually trying credentials,
> why would a botnet do that ?
To discover features of your TLS implementation, but that's far more
likely from Internet survey engines (e.g. my DNSSEC/DANE survey) than
from a botnet.
--
Viktor.
[ If you DNSSEC-sign your domain and its MX hosts, and publish TLSA
records, you'll see a daily connection from the DANE survey unless your
domain is under a ccTLD for which I have no data feeds, and you don't
appear in certificate transparency logs, PTR records of IP addresses,
or otherwise leave a trace of your existence in some way that can be
easily discovered.
Presently tracking 16.1 million signed domains, with SMTP connections to
16k IP addresses of MX hosts with TLSA records. ]
