Hi Peter,

I have the stock fail2ban configuration set up for qmailtoaster and have never changed it. I just know that it is POSSIBLE with fail2ban to do DOS attack configuration. For http this is one <https://www.garron.me/en/go2linux/fail2ban-protect-web-server-http-dos-attack.html>. One must come up with a REGEX expression for the SMTP log in qmail, but I haven't done it, maybe someone on the list has???


Here is a link <https://javapipe.com/ddos/blog/iptables-ddos-protection/> that shows CentOS7 DDOS attack prevention in the kernel settings and farther down in the page IPTABLES DDOS rules.

Eric


On 12/29/2017 11:58 AM, Peter Peltonen wrote:
Never worked with fail2ban before. Care to share your config for qmailtoaster?

On Fri, Dec 29, 2017 at 8:56 PM, Eric Broch <ebr...@whitehorsetc.com> wrote:
Hi Tony,

I see this more than I'd like. Sometimes I hear my server cranking away
and upon investigation one day (tail -f /var/log/qmail/smtp/current)
found connects and immediate disconnects being perpetrated from the same
IP address scrolling across the terminal for as long as I cared to
watch, 45 minutes or so, and then continued to hear my server cranking
away until I left the room. I've tried banning them in my external
firewall but I think the better approach is to use either IP tables or
fail2ban DOS. I don't want to wait for authentication (the stock
fail2ban setup for qmailtoaster) before dropping the IP but want anyone
who connects even without trying to authenticate to be banned after so
many attempts within a certain time frame. Fail2ban and IP Tables have
these options.

Eric



On 12/29/2017 6:40 AM, Tony White wrote:
Hi folks,
   Is anyone else seeing a single ip connecting hundreds even thousands
of times but never sending any mail? I end up blocking these using
iptables
but I do not understand why it is happening.

TIA

Example
2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
2017-12-30 00:31:31.653820500 tcpserver: ok 31242
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
2017-12-30 00:31:32.872611500 tcpserver: ok 31246
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
2017-12-30 00:31:34.375056500 tcpserver: ok 31248
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
2017-12-30 00:31:35.717508500 tcpserver: ok 31252
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
2017-12-30 00:31:37.007983500 tcpserver: ok 31254
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
2017-12-30 00:31:38.215296500 tcpserver: ok 31259
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
2017-12-30 00:31:39.433357500 tcpserver: ok 31261
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
2017-12-30 00:31:40.615766500 tcpserver: ok 31271
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
2017-12-30 00:31:41.873371500 tcpserver: ok 31273
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
2017-12-30 00:31:43.135794500 tcpserver: ok 31277
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093
2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0
2017-12-30 00:31:44.067443500 tcpserver: status: 1/100
2017-12-30 00:31:44.362100500 tcpserver: status: 2/100
2017-12-30 00:31:44.362188500 tcpserver: pid 31282 from 114.229.162.93
2017-12-30 00:31:44.362231500 tcpserver: ok 31282
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63184
2017-12-30 00:31:45.274625500 tcpserver: end 31282 status 0
2017-12-30 00:31:45.274626500 tcpserver: status: 1/100
2017-12-30 00:31:45.574491500 tcpserver: status: 2/100
2017-12-30 00:31:45.574579500 tcpserver: pid 31293 from 114.229.162.93
2017-12-30 00:31:45.574625500 tcpserver: ok 31293
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63270
2017-12-30 00:31:46.464235500 tcpserver: end 31293 status 0
2017-12-30 00:31:46.464236500 tcpserver: status: 1/100
2017-12-30 00:31:46.773361500 tcpserver: status: 2/100
2017-12-30 00:31:46.773362500 tcpserver: pid 31298 from 114.229.162.93
2017-12-30 00:31:46.773363500 tcpserver: ok 31298
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63351
2017-12-30 00:31:47.659727500 tcpserver: end 31298 status 0
2017-12-30 00:31:47.659728500 tcpserver: status: 1/100
2017-12-30 00:31:47.940773500 tcpserver: status: 2/100
2017-12-30 00:31:47.940879500 tcpserver: pid 31300 from 114.229.162.93
2017-12-30 00:31:47.940920500 tcpserver: ok 31300
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63439



--
Eric Broch
White Horse Technical Consulting (WHTC)



---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


--
Eric Broch
White Horse Technical Consulting (WHTC)

Reply via email to