Would FAIL2BAN be an ideal setup here? I use it to control the attacks 
[example: more than 10 failed logins in 1 day, your banned for "X" hours].

Fail2ban also works with the SquirrelMail, Roundcube, etc... I have it setup on 
SMTP, SMTPS, SUBMISSION, POP3s and IMAPs. You can also use FAIL2BAN for SSH and 
ftp. The part I like, you can have fail2ban to send you an email that looks 
like this:

------------example--------

The IP 202.62.224.40 has just been banned by Fail2Ban after
10 attempts against pop3.


Lines containing IP:202.62.224.40 in /var/log/maillog

Dec 28 21:49:59 mail7 spamdyke[978]: DENIED_RELAYING from: x...@tea.com to: 
eax...@yahoo.com origin_ip: 202.62.224.40 origin_rdns: solar.ortel.net auth: 
(unknown) encryption: (none) reason: (empty)
Dec 28 21:50:24 mail7 vpopmail[1202]: vchkpw-smtp: null password given 
Newsletter:202.62.224.40
Dec 28 21:51:11 mail7 vpopmail[1263]: vchkpw-smtp: null password given 
Company:202.62.224.40
Dec 28 21:51:46 mail7 vpopmail[1324]: vchkpw-smtp: null password given 
root:202.62.224.40
Dec 28 21:52:58 mail7 vpopmail[1451]: vchkpw-smtp: null password given 
temp:202.62.224.40
Dec 28 21:53:18 mail7 vpopmail[1492]: vchkpw-smtp: null password given 
Test:202.62.224.40
Dec 28 21:54:22 mail7 vpopmail[1577]: vchkpw-smtp: null password given 
abuse:202.62.224.40
Dec 28 21:54:42 mail7 vpopmail[1598]: vchkpw-smtp: null password given 
MYSQL:202.62.224.40
Dec 28 21:55:16 mail7 vpopmail[1804]: vchkpw-smtp: null password given 
office:202.62.224.40
Dec 28 21:55:44 mail7 vpopmail[1844]: vchkpw-smtp: vpopmail user not found 
customer@:202.62.224.40
Dec 28 21:56:07 mail7 vpopmail[1870]: vchkpw-smtp: vpopmail user not found 
company@:202.62.224.40
Dec 28 21:56:50 mail7 vpopmail[1920]: vchkpw-smtp: vpopmail user not found 
testing@:202.62.224.40
Dec 28 21:57:19 mail7 vpopmail[1961]: vchkpw-smtp: vpopmail user not found 
temp@:202.62.224.40
Dec 28 21:57:39 mail7 vpopmail[1991]: vchkpw-smtp: vpopmail user not found 
test@:202.62.224.40
Dec 28 21:59:11 mail7 vpopmail[2288]: vchkpw-smtp: vpopmail user not found 
newsletter@:202.62.224.40
Dec 28 21:59:37 mail7 vpopmail[2473]: vchkpw-smtp: vpopmail user not found 
customer@:202.62.224.40
Dec 28 22:00:05 mail7 vpopmail[2826]: vchkpw-smtp: vpopmail user not found 
company@:202.62.224.40
Dec 28 22:00:49 mail7 vpopmail[2888]: vchkpw-smtp: vpopmail user not found 
testing@:202.62.224.40
Dec 28 22:01:05 mail7 vpopmail[2919]: vchkpw-smtp: vpopmail user not found 
postmaster@:202.62.224.40

------------end example--------

If needed, I can post a few fail2ban scripts but I'm pretty sure they are 
available on the web for qmail if you search for them.

Carl

-----Original Message-----
From: A. Galatis [mailto:a...@unet.de] 
Sent: Friday, December 29, 2017 10:25 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: AW: [qmailtoaster] connection issues again.

Hi Tony,

i have a script counting authentification errors from ip-addresses.
If an address appears more then my threshhold it is blocked vi iptables.
The log where I count ist he usual maillog.

Andreas

-----Urspr√ľngliche Nachricht-----
Von: jin&hitman&Barracuda [mailto:jinhit...@gmail.com] 
Gesendet: Freitag, 29. Dezember 2017 15:59
An: qmailtoaster-list@qmailtoaster.com
Betreff: Re: [qmailtoaster] connection issues again.

Hi Remo
Are using some kind of autonomous app/scrpt to block them ? If  so, what kind 
of app/script are you using for drop them ?

On 29 Dec 2017 5:19 p.m., "Remo Mattei" <r...@mattei.org> wrote:


        Yes I created some rules based on connection time like 30 sec 5 min 30 
min etc. Dropped them.
        
        Il giorno 29 dic 2017, alle ore 06:07, Solo <s...@privat.dk> ha scritto:
        
        Hi Tony.
        
        Yes I see a lot - in my logs I think it's those spammers that tries to
        connect to Your server using a lot of different names and end up getting
        refused by vpopmail - se my logwatch file below (all ip addresses match
        log entries in maillog and vpopmail)
        
        --------------------- vpopmail Begin ------------------------
        
        
        No Such User Found:
           4f3c5634.2010906@ - 1 Time(s)
           abc@ - 1 Time(s)
           ada@ - 1 Time(s)
           agenda@ - 1 Time(s)
           am@ - 1 Time(s)
           benson@ - 1 Time(s)
           biblioteca@ - 1 Time(s)
           caja@ - 1 Time(s)
           careers@ - 1 Time(s)
        
        and so on
        
        they time out usually.
        
        Others!  correct if I'm wrong...
        
        Regards,
        Finn Von B
        
        > Den 29-12-2017 kl. 14:40 skrev Tony White:
        > Hi folks,
        >   Is anyone else seeing a single ip connecting hundreds even thousands
        > of times but never sending any mail? I end up blocking these using 
iptables
        > but I do not understand why it is happening.
        >
        > TIA
        >
        > Example
        > 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
        > 2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
        > 2017-12-30 00:31:31.653820500 tcpserver: ok 31242
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
        > 2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
        > 2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
        > 2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
        > 2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
        > 2017-12-30 00:31:32.872611500 tcpserver: ok 31246
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
        > 2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
        > 2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
        > 2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
        > 2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
        > 2017-12-30 00:31:34.375056500 tcpserver: ok 31248
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
        > 2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
        > 2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
        > 2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
        > 2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
        > 2017-12-30 00:31:35.717508500 tcpserver: ok 31252
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
        > 2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
        > 2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
        > 2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
        > 2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
        > 2017-12-30 00:31:37.007983500 tcpserver: ok 31254
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
        > 2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
        > 2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
        > 2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
        > 2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
        > 2017-12-30 00:31:38.215296500 tcpserver: ok 31259
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
        > 2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
        > 2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
        > 2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
        > 2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
        > 2017-12-30 00:31:39.433357500 tcpserver: ok 31261
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
        > 2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
        > 2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
        > 2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
        > 2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
        > 2017-12-30 00:31:40.615766500 tcpserver: ok 31271
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
        > 2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
        > 2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
        > 2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
        > 2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
        > 2017-12-30 00:31:41.873371500 tcpserver: ok 31273
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
        > 2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
        > 2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
        > 2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
        > 2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
        > 2017-12-30 00:31:43.135794500 tcpserver: ok 31277
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093
        > 2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0
        > 2017-12-30 00:31:44.067443500 tcpserver: status: 1/100
        > 2017-12-30 00:31:44.362100500 tcpserver: status: 2/100
        > 2017-12-30 00:31:44.362188500 tcpserver: pid 31282 from 114.229.162.93
        > 2017-12-30 00:31:44.362231500 tcpserver: ok 31282
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63184
        > 2017-12-30 00:31:45.274625500 tcpserver: end 31282 status 0
        > 2017-12-30 00:31:45.274626500 tcpserver: status: 1/100
        > 2017-12-30 00:31:45.574491500 tcpserver: status: 2/100
        > 2017-12-30 00:31:45.574579500 tcpserver: pid 31293 from 114.229.162.93
        > 2017-12-30 00:31:45.574625500 tcpserver: ok 31293
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63270
        > 2017-12-30 00:31:46.464235500 tcpserver: end 31293 status 0
        > 2017-12-30 00:31:46.464236500 tcpserver: status: 1/100
        > 2017-12-30 00:31:46.773361500 tcpserver: status: 2/100
        > 2017-12-30 00:31:46.773362500 tcpserver: pid 31298 from 114.229.162.93
        > 2017-12-30 00:31:46.773363500 tcpserver: ok 31298
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63351
        > 2017-12-30 00:31:47.659727500 tcpserver: end 31298 status 0
        > 2017-12-30 00:31:47.659728500 tcpserver: status: 1/100
        > 2017-12-30 00:31:47.940773500 tcpserver: status: 2/100
        > 2017-12-30 00:31:47.940879500 tcpserver: pid 31300 from 114.229.162.93
        > 2017-12-30 00:31:47.940920500 tcpserver: ok 31300
        > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63439
        >
        >
        >
        
        ---------------------------------------------------------------------
        To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
<mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com> 
        For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com 
<mailto:qmailtoaster-list-h...@qmailtoaster.com> 
        
        
        
        ---------------------------------------------------------------------
        To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
<mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com> 
        For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com 
<mailto:qmailtoaster-list-h...@qmailtoaster.com> 
        
        



---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to