I stopped iptables and moved to pfsense for my front end firewall. Way more options and easier to deal with.
> Il giorno 18 apr 2020, alle ore 08:11, Eric Broch <[email protected]> > ha scritto: > > > It looks like a connect and disconnect. If there was authentication you'd see > it. I don't think you have anything to worry about here. I'm not saying > there's not some jerk out there messing with your smtps...just saying it may > be harmless. That said, do you have a good firewall in place that prevents > DOS attacks. I use Sonicwall myself but you can do the same thing as others > have shown with iptables. > > Does anyone know how to do the same with the stock firewalld on COS7/8? > > On 4/17/2020 11:49 PM, David Bray wrote: >> sure - thanks for replying, this comes in waves taking the server to it's >> maximum at times >> >> as far as I can see this only logs are this: >> >> ==> /var/log/qmail/smtps/current <== >> 2020-04-18 05:04:48.450871500 tcpserver: status: 6/60 >> 2020-04-18 05:04:48.480785500 tcpserver: pid 13339 from 141.98.80.30 >> 2020-04-18 05:04:48.480787500 tcpserver: ok 13339 >> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::25638 >> 2020-04-18 05:04:52.797644500 tcpserver: status: 7/60 >> 2020-04-18 05:04:52.830767500 tcpserver: pid 13340 from 141.98.80.30 >> 2020-04-18 05:04:52.830768500 tcpserver: ok 13340 >> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::14862 >> 2020-04-18 05:04:57.248902500 tcpserver: status: 8/60 >> 2020-04-18 05:04:57.304003500 tcpserver: pid 13342 from 141.98.80.30 >> 2020-04-18 05:04:57.304006500 tcpserver: ok 13342 >> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::9646 >> 2020-04-18 05:05:01.854790500 tcpserver: status: 9/60 >> 2020-04-18 05:05:01.902265500 tcpserver: pid 13345 from 141.98.80.30 >> 2020-04-18 05:05:01.902266500 tcpserver: ok 13345 >> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::54058 >> 2020-04-18 05:05:09.729711500 tcpserver: end 13338 status 256 >> 2020-04-18 05:05:09.729713500 tcpserver: status: 8/60 >> 2020-04-18 05:06:05.965715500 tcpserver: end 13342 status 256 >> 2020-04-18 05:06:05.965716500 tcpserver: status: 7/60 >> 2020-04-18 05:06:06.141272500 tcpserver: end 13340 status 256 >> 2020-04-18 05:06:06.141273500 tcpserver: status: 6/60 >> >> David Bray >> 0418 745334 >> 2 ∞ & < >> >> >> On Sat, 18 Apr 2020 at 15:41, Eric Broch <[email protected]> wrote: >>> Can you send the log of one of the "bad" connections? >>> >>> On 4/17/2020 10:59 PM, David Bray wrote: >>> >>>> I can see I'm getting hammered on my smtps port >>>> >>>> How can I mitigate this? >>>> >>>> I can see the IP's in /var/log/qmail/smtps/current >>>> >>>> but where do I actually see that the smtp auth actually fails ? >>>> >>>> or do I need to increase the logging somewhere ? >>>> >>>> if I tail -f /var/log/dovecot.log >>>> >>>> I can see the imap and pop failures >>>> >>>> thanks in advance >>>> >>>> David Bray >>>> 0418 745334 >>>> 2 ∞ & <
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
