Would FAIL2BAN be an ideal setup here? I use it to control the attacks [example: more than 10 failed logins in 1 day, your banned for "X" hours].
Fail2ban also works with the SquirrelMail, Roundcube, etc... I have it setup on SMTP, SMTPS, SUBMISSION, POP3s and IMAPs. You can also use FAIL2BAN for SSH and ftp. The part I like, you can have fail2ban to send you an email that looks like this: ------------example-------- The IP 202.62.224.40 has just been banned by Fail2Ban after 10 attempts against pop3. Lines containing IP:202.62.224.40 in /var/log/maillog Dec 28 21:49:59 mail7 spamdyke[978]: DENIED_RELAYING from: [email protected] to: [email protected] origin_ip: 202.62.224.40 origin_rdns: solar.ortel.net auth: (unknown) encryption: (none) reason: (empty) Dec 28 21:50:24 mail7 vpopmail[1202]: vchkpw-smtp: null password given Newsletter:202.62.224.40 Dec 28 21:51:11 mail7 vpopmail[1263]: vchkpw-smtp: null password given Company:202.62.224.40 Dec 28 21:51:46 mail7 vpopmail[1324]: vchkpw-smtp: null password given root:202.62.224.40 Dec 28 21:52:58 mail7 vpopmail[1451]: vchkpw-smtp: null password given temp:202.62.224.40 Dec 28 21:53:18 mail7 vpopmail[1492]: vchkpw-smtp: null password given Test:202.62.224.40 Dec 28 21:54:22 mail7 vpopmail[1577]: vchkpw-smtp: null password given abuse:202.62.224.40 Dec 28 21:54:42 mail7 vpopmail[1598]: vchkpw-smtp: null password given MYSQL:202.62.224.40 Dec 28 21:55:16 mail7 vpopmail[1804]: vchkpw-smtp: null password given office:202.62.224.40 Dec 28 21:55:44 mail7 vpopmail[1844]: vchkpw-smtp: vpopmail user not found customer@:202.62.224.40 Dec 28 21:56:07 mail7 vpopmail[1870]: vchkpw-smtp: vpopmail user not found company@:202.62.224.40 Dec 28 21:56:50 mail7 vpopmail[1920]: vchkpw-smtp: vpopmail user not found testing@:202.62.224.40 Dec 28 21:57:19 mail7 vpopmail[1961]: vchkpw-smtp: vpopmail user not found temp@:202.62.224.40 Dec 28 21:57:39 mail7 vpopmail[1991]: vchkpw-smtp: vpopmail user not found test@:202.62.224.40 Dec 28 21:59:11 mail7 vpopmail[2288]: vchkpw-smtp: vpopmail user not found newsletter@:202.62.224.40 Dec 28 21:59:37 mail7 vpopmail[2473]: vchkpw-smtp: vpopmail user not found customer@:202.62.224.40 Dec 28 22:00:05 mail7 vpopmail[2826]: vchkpw-smtp: vpopmail user not found company@:202.62.224.40 Dec 28 22:00:49 mail7 vpopmail[2888]: vchkpw-smtp: vpopmail user not found testing@:202.62.224.40 Dec 28 22:01:05 mail7 vpopmail[2919]: vchkpw-smtp: vpopmail user not found postmaster@:202.62.224.40 ------------end example-------- If needed, I can post a few fail2ban scripts but I'm pretty sure they are available on the web for qmail if you search for them. Carl -----Original Message----- From: A. Galatis [mailto:[email protected]] Sent: Friday, December 29, 2017 10:25 AM To: [email protected] Subject: AW: [qmailtoaster] connection issues again. Hi Tony, i have a script counting authentification errors from ip-addresses. If an address appears more then my threshhold it is blocked vi iptables. The log where I count ist he usual maillog. Andreas -----Ursprüngliche Nachricht----- Von: jin&hitman&Barracuda [mailto:[email protected]] Gesendet: Freitag, 29. Dezember 2017 15:59 An: [email protected] Betreff: Re: [qmailtoaster] connection issues again. Hi Remo Are using some kind of autonomous app/scrpt to block them ? If so, what kind of app/script are you using for drop them ? On 29 Dec 2017 5:19 p.m., "Remo Mattei" <[email protected]> wrote: Yes I created some rules based on connection time like 30 sec 5 min 30 min etc. Dropped them. Il giorno 29 dic 2017, alle ore 06:07, Solo <[email protected]> ha scritto: Hi Tony. Yes I see a lot - in my logs I think it's those spammers that tries to connect to Your server using a lot of different names and end up getting refused by vpopmail - se my logwatch file below (all ip addresses match log entries in maillog and vpopmail) --------------------- vpopmail Begin ------------------------ No Such User Found: 4f3c5634.2010906@ - 1 Time(s) abc@ - 1 Time(s) ada@ - 1 Time(s) agenda@ - 1 Time(s) am@ - 1 Time(s) benson@ - 1 Time(s) biblioteca@ - 1 Time(s) caja@ - 1 Time(s) careers@ - 1 Time(s) and so on they time out usually. Others! correct if I'm wrong... Regards, Finn Von B > Den 29-12-2017 kl. 14:40 skrev Tony White: > Hi folks, > Is anyone else seeing a single ip connecting hundreds even thousands > of times but never sending any mail? I end up blocking these using iptables > but I do not understand why it is happening. > > TIA > > Example > 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100 > 2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93 > 2017-12-30 00:31:31.653820500 tcpserver: ok 31242 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277 > 2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0 > 2017-12-30 00:31:32.581729500 tcpserver: status: 1/100 > 2017-12-30 00:31:32.872455500 tcpserver: status: 2/100 > 2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93 > 2017-12-30 00:31:32.872611500 tcpserver: ok 31246 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369 > 2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0 > 2017-12-30 00:31:33.862861500 tcpserver: status: 1/100 > 2017-12-30 00:31:34.375021500 tcpserver: status: 2/100 > 2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93 > 2017-12-30 00:31:34.375056500 tcpserver: ok 31248 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461 > 2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0 > 2017-12-30 00:31:35.326645500 tcpserver: status: 1/100 > 2017-12-30 00:31:35.717309500 tcpserver: status: 2/100 > 2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93 > 2017-12-30 00:31:35.717508500 tcpserver: ok 31252 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563 > 2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0 > 2017-12-30 00:31:36.657368500 tcpserver: status: 1/100 > 2017-12-30 00:31:37.007733500 tcpserver: status: 2/100 > 2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93 > 2017-12-30 00:31:37.007983500 tcpserver: ok 31254 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637 > 2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0 > 2017-12-30 00:31:37.914885500 tcpserver: status: 1/100 > 2017-12-30 00:31:38.215151500 tcpserver: status: 2/100 > 2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93 > 2017-12-30 00:31:38.215296500 tcpserver: ok 31259 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738 > 2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0 > 2017-12-30 00:31:39.110485500 tcpserver: status: 1/100 > 2017-12-30 00:31:39.433288500 tcpserver: status: 2/100 > 2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93 > 2017-12-30 00:31:39.433357500 tcpserver: ok 31261 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831 > 2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0 > 2017-12-30 00:31:40.316271500 tcpserver: status: 1/100 > 2017-12-30 00:31:40.615598500 tcpserver: status: 2/100 > 2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93 > 2017-12-30 00:31:40.615766500 tcpserver: ok 31271 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924 > 2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0 > 2017-12-30 00:31:41.496973500 tcpserver: status: 1/100 > 2017-12-30 00:31:41.873223500 tcpserver: status: 2/100 > 2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93 > 2017-12-30 00:31:41.873371500 tcpserver: ok 31273 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007 > 2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0 > 2017-12-30 00:31:42.828194500 tcpserver: status: 1/100 > 2017-12-30 00:31:43.135644500 tcpserver: status: 2/100 > 2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93 > 2017-12-30 00:31:43.135794500 tcpserver: ok 31277 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093 > 2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0 > 2017-12-30 00:31:44.067443500 tcpserver: status: 1/100 > 2017-12-30 00:31:44.362100500 tcpserver: status: 2/100 > 2017-12-30 00:31:44.362188500 tcpserver: pid 31282 from 114.229.162.93 > 2017-12-30 00:31:44.362231500 tcpserver: ok 31282 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63184 > 2017-12-30 00:31:45.274625500 tcpserver: end 31282 status 0 > 2017-12-30 00:31:45.274626500 tcpserver: status: 1/100 > 2017-12-30 00:31:45.574491500 tcpserver: status: 2/100 > 2017-12-30 00:31:45.574579500 tcpserver: pid 31293 from 114.229.162.93 > 2017-12-30 00:31:45.574625500 tcpserver: ok 31293 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63270 > 2017-12-30 00:31:46.464235500 tcpserver: end 31293 status 0 > 2017-12-30 00:31:46.464236500 tcpserver: status: 1/100 > 2017-12-30 00:31:46.773361500 tcpserver: status: 2/100 > 2017-12-30 00:31:46.773362500 tcpserver: pid 31298 from 114.229.162.93 > 2017-12-30 00:31:46.773363500 tcpserver: ok 31298 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63351 > 2017-12-30 00:31:47.659727500 tcpserver: end 31298 status 0 > 2017-12-30 00:31:47.659728500 tcpserver: status: 1/100 > 2017-12-30 00:31:47.940773500 tcpserver: status: 2/100 > 2017-12-30 00:31:47.940879500 tcpserver: pid 31300 from 114.229.162.93 > 2017-12-30 00:31:47.940920500 tcpserver: ok 31300 > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63439 > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] <mailto:[email protected]> For additional commands, e-mail: [email protected] <mailto:[email protected]> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] <mailto:[email protected]> For additional commands, e-mail: [email protected] <mailto:[email protected]> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
