I stopped iptables and moved to pfsense for my front end firewall. Way more 
options and easier to deal with. 

> Il giorno 18 apr 2020, alle ore 08:11, Eric Broch <ebr...@whitehorsetc.com> 
> ha scritto:
> 
> 
> It looks like a connect and disconnect. If there was authentication you'd see 
> it. I don't think you have anything to worry about here. I'm not saying 
> there's not some jerk out there messing with your smtps...just saying it may 
> be harmless. That said, do you have a good firewall in place that prevents 
> DOS attacks. I use Sonicwall myself but you can do the same thing as others 
> have shown with iptables.
> 
> Does anyone know how to do the same with the stock firewalld on COS7/8?
> 
> On 4/17/2020 11:49 PM, David Bray wrote:
>> sure - thanks for replying, this comes in waves taking the server to it's 
>> maximum at times
>> 
>> as far as I can see this only logs are this:
>> 
>> ==> /var/log/qmail/smtps/current <==
>> 2020-04-18 05:04:48.450871500 tcpserver: status: 6/60
>> 2020-04-18 05:04:48.480785500 tcpserver: pid 13339 from 141.98.80.30
>> 2020-04-18 05:04:48.480787500 tcpserver: ok 13339 
>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::25638
>> 2020-04-18 05:04:52.797644500 tcpserver: status: 7/60
>> 2020-04-18 05:04:52.830767500 tcpserver: pid 13340 from 141.98.80.30
>> 2020-04-18 05:04:52.830768500 tcpserver: ok 13340 
>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::14862
>> 2020-04-18 05:04:57.248902500 tcpserver: status: 8/60
>> 2020-04-18 05:04:57.304003500 tcpserver: pid 13342 from 141.98.80.30
>> 2020-04-18 05:04:57.304006500 tcpserver: ok 13342 
>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::9646
>> 2020-04-18 05:05:01.854790500 tcpserver: status: 9/60
>> 2020-04-18 05:05:01.902265500 tcpserver: pid 13345 from 141.98.80.30
>> 2020-04-18 05:05:01.902266500 tcpserver: ok 13345 
>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::54058
>> 2020-04-18 05:05:09.729711500 tcpserver: end 13338 status 256
>> 2020-04-18 05:05:09.729713500 tcpserver: status: 8/60
>> 2020-04-18 05:06:05.965715500 tcpserver: end 13342 status 256
>> 2020-04-18 05:06:05.965716500 tcpserver: status: 7/60
>> 2020-04-18 05:06:06.141272500 tcpserver: end 13340 status 256
>> 2020-04-18 05:06:06.141273500 tcpserver: status: 6/60
>> 
>> David Bray
>> 0418 745334
>> 2 ∞ & <
>> 
>> 
>> On Sat, 18 Apr 2020 at 15:41, Eric Broch <ebr...@whitehorsetc.com> wrote:
>>> Can you send the log of one of the "bad" connections?
>>> 
>>> On 4/17/2020 10:59 PM, David Bray wrote:
>>> 
>>>> I can see I'm getting hammered on my smtps port
>>>> 
>>>> How can I mitigate this?
>>>> 
>>>> I can see the IP's in /var/log/qmail/smtps/current
>>>> 
>>>> but where do I actually see that the smtp auth actually fails ?
>>>> 
>>>> or do I need to increase the logging somewhere ?
>>>> 
>>>> if I tail -f /var/log/dovecot.log
>>>> 
>>>> I can see the imap and pop failures
>>>> 
>>>> thanks in advance
>>>> 
>>>> David Bray
>>>> 0418 745334
>>>> 2 ∞ & <
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to