On Thu, 20 Oct 2016 17:13:26 -0400
"Bill Cole" wrote:
> On 20 Oct 2016, at 16:39, Keith Williams wrote:
>
> > No wait... What?
> >
> > This is no attack. Attack is when you try to break or enforce..
> > This is a probe, and from the probe we can
Yes, I did not advertise AUTH in my port 25 smtpd too. when telnet to my mail
server, it produce like:
telnet 108.61.110.110 25
Trying 108.61.110.110...
Connected to example.com.
Escape character is '^]'.
220 example ESMTP Postfix
ehlo
501 Syntax: EHLO hostname
ehlo mail
On 20 Oct 2016, at 16:39, Keith Williams wrote:
No wait... What?
This is no attack. Attack is when you try to break or enforce.. This
is a probe, and from the probe we can deduce from the reported
disconnect that 1. helo was tried, 2. no auth was attempted and 3,
quit was used.
So a test
On 18 Oct 2016, at 21:00, vod vos wrote:
So, how to block this kind of ips?
Does fail2ban work?
Yes, but as Sebastian said, it is possible for fail2ban to block
innocent users, particularly those SSL errors, which essentially amount
to connections that were never fully initiated. That's
No wait... What?
This is no attack. Attack is when you try to break or enforce.. This is
a probe, and from the probe we can deduce from the reported disconnect
that 1. helo was tried, 2. no auth was attempted and 3, quit was used.
So a test for helo and quit? and no auth.
Someone is testing
On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:
Looks rather like a scanning attack (finding vulnerabilities). I think
they are trying to do a SSL type of attack like HEARTBLEED but your
server isn't vulnerable.
Looks also like they are sending HTTP requests (encapsulated in
SSL/TLS) to a
On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:
Its clear from the log, the attacker isn't even attemping to
authenticate (0 attempts). The attacker hasn't propably not even
realized he is connecting to a mail server.
No. There's a jumble there, but at least one is a lame "attack" of a
No, fail2ban would also block legitimate users where the user may have flaky
connection and doing one or more connections and not authenticating.
The SSL attempts for http could be blocked with fail2ban.
The other SSL attempts attempting to negotiate a old version, may block
legitimate users
So, how to block this kind of ips?
Does fail2ban work?
On 星期二, 18 十月 2016 17:45:01 -0700Sebastian Nielsen
sebast...@sebbe.eu wrote
Looks rather like a scanning attack (finding vulnerabilities). I think they are
trying to do a SSL type of attack like HEARTBLEED but your
Looks rather like a scanning attack (finding vulnerabilities). I think they are
trying to do a SSL type of attack like HEARTBLEED but your server isn't
vulnerable.
Looks also like they are sending HTTP requests (encapsulated in SSL/TLS) to a
mail server, which seems to be a extremely stupid bot
routines:ssl3_get_client_hello:wrong version number
Oct 19 08:05:02 mail dovecot: pop3-login: Disconnected (no auth attempts in 0
secs): user=, rip=208.100.26.231, lip=108.61.110.110, TLS handshaking:
SSL_accept() failed: Unknown error, session=xgCIjyw/XMvQZBrn
Is my server mail account being attacted?
And how to ban
11 matches
Mail list logo