Eric Shubert escribió:
On 03/02/2011 06:31 AM, Sergio M wrote:
[from this other thread
http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html
]
As I said, being under SMTP attack I installed fail2ban and created a
set of rules like:
*** jail.conf ***
(...)
[vpopmail]
enabled = true
port = pop3 filter = vpopmail
action = iptables[name=pop3, port=pop3, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime = 604800
findtime = 3600
[vpopmail-fail]
enabled = true
filter = vpopmail-fail
action = iptables[name=SMTP, port=25, protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
bantime = 604800
findtime = 3600
*** vpopmail-fail.conf ***
[Definition]
failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
*** vpopmail.conf ***
[Definition]
failregex = vchkpw-pop3: vpopmail user not found .*@:<HOST>
ignoreregex =
Setup being said, I get lots of hits for the vpopmail-fail jail:
# fail2ban-client status vpopmail-fail
Status for the jail: vpopmail-fail
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 7
| `- Total failed: 225
`- action
|- Currently banned: 109
| `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...)
187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17
`- Total banned: 109
Not surprisingly, many of them are brazilian IPs.
However, check this out:
# date
Wed Mar 2 10:27:09 ART 2011
tail /var/log/qmail/smtp/current -F | tai64nlocal
2011-03-02 10:22:49.480688500 tcpserver: end 14729 status 0
2011-03-02 10:22:49.480691500 tcpserver: status: 24/25
2011-03-02 10:22:49.480714500 tcpserver: status: 25/25
2011-03-02 10:22:49.480917500 tcpserver: pid 15808 from 187.4.200.17
2011-03-02 10:22:49.481000500 tcpserver: ok 15808
mail.domain.com.ar:11.22.33.44:25 :187.4.200.17::3220
2011-03-02 10:26:29.551470500 tcpserver: end 15477 status 0
2011-03-02 10:26:29.551473500 tcpserver: status: 24/25
2011-03-02 10:26:29.551502500 tcpserver: status: 25/25
2011-03-02 10:26:29.551726500 tcpserver: pid 16348 from 186.191.158.84
2011-03-02 10:26:29.631488500 tcpserver: ok 16348
mail.domain.com.ar:11.22.33.44:25 :186.191.158.84::59586
Look at the speed of my smtp session log!! Like 2 entries in 4 minutes!
I tried qmailctl stop/start several times, and no msgs in queue (checked
with qmHandle -l)
Without fail2ban, it kept at 25 of 25 but just keep flowing.
Any ideas?
Thanks!
-Sergio
---------------------------------------------------------------------------------
Looks to me like you have some qmail-smtp processes that are hung. I
would stop qmail, wait a few seconds for things to terminate on their
own, then see what's still running. I'd expect to see some qmail-smtpd
processes hanging around.
# pkill qmail-smtpd
should clean them up. Then start qmail back up again.
Hi Eric,
I did that several times.
1. qmailctl stop
2. qmailctl stat (nothing running)
3. pkill qmail-smtpd
4. htop (and look for qmail)
4' wait a minute
5. qmailctl start
6.
2011-03-02 13:43:42.362756500 tcpserver: status: 24/25
2011-03-02 13:43:42.362758500 tcpserver: status: 25/25
2011-03-02 13:43:42.362759500 tcpserver: pid 25649 from 200.175.53.14
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
