If the problem is arising during the TLS negotiation, then there will
never be an SMTP session started and therefore there will never be an
attempt to even submit a password.
I do not think that a TLS negotiation problem will show up in any
mail-related log file. I've yet to find it in any log file.
-Andy
On 4/22/2020 5:17 PM, David Bray wrote:
no - but vchkpw, also spamdyke does
so this is blocking people that are providing bad passwords etc ...
but agree, still trying to work out who is doing something other than this
David Bray
0418 745334
2 ∞ & <
On Thu, 23 Apr 2020 at 11:15, Remo Mattei <r...@mattei.org
<mailto:r...@mattei.org>> wrote:
qmail does not log to maillog.
Remo
Inviato da iPad
Il giorno 22 apr 2020, alle ore 5:36 PM, David Bray
<da...@brayworth.com.au <mailto:da...@brayworth.com.au>> ha scritto:
I agree, have them in place already, they are winners
* I actually disagree slightly, if I'm not mistaken - it would
be better to have those two entries combined, wouldn't
fail2ban parse the maillog twice in his example ?
I use:
failregex = vchkpw-smtps?: vpopmail user not found .*:<HOST>
vchkpw-smtps?: password fail ([^)]*) [^@]*@[^:]*:<HOST>
spamdyke.*?: DENIED_RDNS_RESOLVE .*origin_ip: <HOST>
origin_rdns:.*$
But - I'm not getting log entries for these guys, maillog is all
silent I watch /var/log/qmail/smtps/current float up and down, CPU
goes up and down, but /var/log/maillog is all silent
David Bray
0418 745334
2 ∞ & <
On Thu, 23 Apr 2020 at 00:06, Jaime Lerner
<jaimeler...@geekgoddess.com <mailto:jaimeler...@geekgoddess.com>>
wrote:
David,____
__ __
You might try the suggestions here:
https://www.taverner-rich.com/mitigating-brute-force-attacks/____
__ __
I put them in place on my server and it definitely helped.____
__ __
Jaime____
__ __
*From: *Eric Broch <ebr...@whitehorsetc.com
<mailto:ebr...@whitehorsetc.com>>
*Reply-To: *<qmailtoaster-list@qmailtoaster.com
<mailto:qmailtoaster-list@qmailtoaster.com>>
*Date: *Wednesday, April 22, 2020 at 9:40 AM
*To: *<qmailtoaster-list@qmailtoaster.com
<mailto:qmailtoaster-list@qmailtoaster.com>>
*Subject: *Re: [qmailtoaster] SMTPS Port - Who is Failing ?____
__ __
Hi David,____
I think you're on to something with fail2ban (keying off
maillog). I was monitoring my smtps port (watching the
certificate and encryption scroll by) using /usr/bin/recordio
and /var/log/maillog and found that the bad guys are trying to
login. Here are some failures from maillog:____
vchkpw-smtps: vpopmail user not found
testforu...@whitehorsetc.com:92.118.38.83
<mailto:testforu...@whitehorsetc.com:92.118.38.83>____
vchkpw-smtps: password fail (pass: 'somepassword')
someu...@whitehorsetc.com:185.50.149.2
<mailto:someu...@whitehorsetc.com:185.50.149.2>____
Maybe a fail2ban rule?!____
Eric____
__ __
On 4/18/2020 4:12 AM, David Bray wrote:____
Hi thanks - yes can block that IP____
But it’s not just one, and the solution is not fine enough____
I want more of a fail2ban rule, bad use bad pass 3 strikes
your out____
__ __
I need to know they are mucking round.____
__ __
I tried sending myself through the port with a bad
password- sure it blocks it, but there is no log of the
event - it looks like a legit, connection from Ann IP____
__ __
On Sat, 18 Apr 2020 at 7:30 pm, Chris <boh...@gmail.com
<mailto:boh...@gmail.com>> wrote:____
Here's a great article with instructions on how to
implement an IP blacklist in iptables. Unless you've
got a user in Panama, it looks like you's want to
block 141.98.80.30 ____
https://linux-audit.com/blocking-ip-addresses-in-linux-with-iptables/____
__ __
On Sat, Apr 18, 2020 at 5:49 PM David Bray
<da...@brayworth.com.au
<mailto:da...@brayworth.com.au>> wrote:____
sure - thanks for replying, this comes in waves
taking the server to it's maximum at times ____
__ __
as far as I can see this only logs are this:____
__ __
==> /var/log/qmail/smtps/current <==
2020-04-18 05:04:48.450871500 tcpserver: status: 6/60
2020-04-18 05:04:48.480785500 tcpserver: pid 13339
from 141.98.80.30
2020-04-18 05:04:48.480787500 tcpserver: ok 13339
dev.brayworth.com:172.105.181.18:465
:141.98.80.30::25638
2020-04-18 05:04:52.797644500 tcpserver: status: 7/60
2020-04-18 05:04:52.830767500 tcpserver: pid 13340
from 141.98.80.30
2020-04-18 05:04:52.830768500 tcpserver: ok 13340
dev.brayworth.com:172.105.181.18:465
:141.98.80.30::14862
2020-04-18 05:04:57.248902500 tcpserver: status: 8/60
2020-04-18 05:04:57.304003500 tcpserver: pid 13342
from 141.98.80.30
2020-04-18 05:04:57.304006500 tcpserver: ok 13342
dev.brayworth.com:172.105.181.18:465
:141.98.80.30::9646
2020-04-18 05:05:01.854790500 tcpserver: status: 9/60
2020-04-18 05:05:01.902265500 tcpserver: pid 13345
from 141.98.80.30
2020-04-18 05:05:01.902266500 tcpserver: ok 13345
dev.brayworth.com:172.105.181.18:465
:141.98.80.30::54058
2020-04-18 05:05:09.729711500 tcpserver: end 13338
status 256
2020-04-18 05:05:09.729713500 tcpserver: status: 8/60
2020-04-18 05:06:05.965715500 tcpserver: end 13342
status 256
2020-04-18 05:06:05.965716500 tcpserver: status: 7/60
2020-04-18 05:06:06.141272500 tcpserver: end 13340
status 256
2020-04-18 05:06:06.141273500 tcpserver: status:
6/60____
____
David Bray____
0418 745334
2 ∞ & <____
__ __
__ __
On Sat, 18 Apr 2020 at 15:41, Eric Broch
<ebr...@whitehorsetc.com
<mailto:ebr...@whitehorsetc.com>> wrote:____
Can you send the log of one of the "bad"
connections?____
On 4/17/2020 10:59 PM, David Bray wrote:____
I can see I'm getting hammered on my smtps
port ____
__ __
How can I mitigate this?____
__ __
I can see the IP's in
/var/log/qmail/smtps/current____
__ __
*but where do I actually see that the smtp
auth actually fails ?*____
__ __
or do I need to increase the logging
somewhere ?____
__ __
if I tail -f /var/log/dovecot.log____
__ __
I can see the imap and pop failures____
__ __
thanks in advance____
____
David Bray____
0418 745334
2 ∞ & <____
-- ____
# David____
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com