It looks like a connect and disconnect. If there was authentication you'd see it. I don't think you have anything to worry about here. I'm not saying there's not some jerk out there messing with your smtps...just saying it may be harmless. That said, do you have a good firewall in place that prevents DOS attacks. I use Sonicwall myself but you can do the same thing as others have shown with iptables.

Does anyone know how to do the same with the stock firewalld on COS7/8?

On 4/17/2020 11:49 PM, David Bray wrote:
sure - thanks for replying, this comes in waves taking the server to it's maximum at times

as far as I can see this only logs are this:

==> /var/log/qmail/smtps/current <==
2020-04-18 05:04:48.450871500 tcpserver: status: 6/60
2020-04-18 05:04:48.480785500 tcpserver: pid 13339 from 141.98.80.30
2020-04-18 05:04:48.480787500 tcpserver: ok 13339 dev.brayworth.com:172.105.181.18:465 :141.98.80.30::25638
2020-04-18 05:04:52.797644500 tcpserver: status: 7/60
2020-04-18 05:04:52.830767500 tcpserver: pid 13340 from 141.98.80.30
2020-04-18 05:04:52.830768500 tcpserver: ok 13340 dev.brayworth.com:172.105.181.18:465 :141.98.80.30::14862
2020-04-18 05:04:57.248902500 tcpserver: status: 8/60
2020-04-18 05:04:57.304003500 tcpserver: pid 13342 from 141.98.80.30
2020-04-18 05:04:57.304006500 tcpserver: ok 13342 dev.brayworth.com:172.105.181.18:465 :141.98.80.30::9646
2020-04-18 05:05:01.854790500 tcpserver: status: 9/60
2020-04-18 05:05:01.902265500 tcpserver: pid 13345 from 141.98.80.30
2020-04-18 05:05:01.902266500 tcpserver: ok 13345 dev.brayworth.com:172.105.181.18:465 :141.98.80.30::54058
2020-04-18 05:05:09.729711500 tcpserver: end 13338 status 256
2020-04-18 05:05:09.729713500 tcpserver: status: 8/60
2020-04-18 05:06:05.965715500 tcpserver: end 13342 status 256
2020-04-18 05:06:05.965716500 tcpserver: status: 7/60
2020-04-18 05:06:06.141272500 tcpserver: end 13340 status 256
2020-04-18 05:06:06.141273500 tcpserver: status: 6/60

David Bray
0418 745334
2 ∞ & <


On Sat, 18 Apr 2020 at 15:41, Eric Broch <ebr...@whitehorsetc.com <mailto:ebr...@whitehorsetc.com>> wrote:

    Can you send the log of one of the "bad" connections?

    On 4/17/2020 10:59 PM, David Bray wrote:

    I can see I'm getting hammered on my smtps port

    How can I mitigate this?

    I can see the IP's in /var/log/qmail/smtps/current

    *but where do I actually see that the smtp auth actually fails ?*

    or do I need to increase the logging somewhere ?

    if I tail -f /var/log/dovecot.log

    I can see the imap and pop failures

    thanks in advance

    David Bray
    0418 745334
    2 ∞ & <

Reply via email to