I don't know if anyone use csf firewall. It have many options to prevent such issues.
-- -- Best Regards Muhammad Tahnan Al Anas On Sat, Apr 18, 2020 at 9:12 PM Eric Broch <ebr...@whitehorsetc.com> wrote: > It looks like a connect and disconnect. If there was authentication you'd > see it. I don't think you have anything to worry about here. I'm not saying > there's not some jerk out there messing with your smtps...just saying it > may be harmless. That said, do you have a good firewall in place that > prevents DOS attacks. I use Sonicwall myself but you can do the same thing > as others have shown with iptables. > > Does anyone know how to do the same with the stock firewalld on COS7/8? > On 4/17/2020 11:49 PM, David Bray wrote: > > sure - thanks for replying, this comes in waves taking the server to it's > maximum at times > > as far as I can see this only logs are this: > > ==> /var/log/qmail/smtps/current <== > 2020-04-18 05:04:48.450871500 tcpserver: status: 6/60 > 2020-04-18 05:04:48.480785500 tcpserver: pid 13339 from 141.98.80.30 > 2020-04-18 05:04:48.480787500 tcpserver: ok 13339 > dev.brayworth.com:172.105.181.18:465 > :141.98.80.30::25638 > 2020-04-18 05:04:52.797644500 tcpserver: status: 7/60 > 2020-04-18 05:04:52.830767500 tcpserver: pid 13340 from 141.98.80.30 > 2020-04-18 05:04:52.830768500 tcpserver: ok 13340 > dev.brayworth.com:172.105.181.18:465 > :141.98.80.30::14862 > 2020-04-18 05:04:57.248902500 tcpserver: status: 8/60 > 2020-04-18 05:04:57.304003500 tcpserver: pid 13342 from 141.98.80.30 > 2020-04-18 05:04:57.304006500 tcpserver: ok 13342 > dev.brayworth.com:172.105.181.18:465 > :141.98.80.30::9646 > 2020-04-18 05:05:01.854790500 tcpserver: status: 9/60 > 2020-04-18 05:05:01.902265500 tcpserver: pid 13345 from 141.98.80.30 > 2020-04-18 05:05:01.902266500 tcpserver: ok 13345 > dev.brayworth.com:172.105.181.18:465 > :141.98.80.30::54058 > 2020-04-18 05:05:09.729711500 tcpserver: end 13338 status 256 > 2020-04-18 05:05:09.729713500 tcpserver: status: 8/60 > 2020-04-18 05:06:05.965715500 tcpserver: end 13342 status 256 > 2020-04-18 05:06:05.965716500 tcpserver: status: 7/60 > 2020-04-18 05:06:06.141272500 tcpserver: end 13340 status 256 > 2020-04-18 05:06:06.141273500 tcpserver: status: 6/60 > > David Bray > 0418 745334 > 2 ∞ & < > > > On Sat, 18 Apr 2020 at 15:41, Eric Broch <ebr...@whitehorsetc.com> wrote: > >> Can you send the log of one of the "bad" connections? >> >> On 4/17/2020 10:59 PM, David Bray wrote: >> >> I can see I'm getting hammered on my smtps port >> >> How can I mitigate this? >> >> I can see the IP's in /var/log/qmail/smtps/current >> >> *but where do I actually see that the smtp auth actually fails ?* >> >> or do I need to increase the logging somewhere ? >> >> if I tail -f /var/log/dovecot.log >> >> I can see the imap and pop failures >> >> thanks in advance >> >> David Bray >> 0418 745334 >> 2 ∞ & < >> >>