Re: Is my server mail account being attacted?

On Thu, 20 Oct 2016 17:13:26 -0400 "Bill Cole" wrote: > On 20 Oct 2016, at 16:39, Keith Williams wrote: > > > No wait... What? > > > > This is no attack. Attack is when you try to break or enforce.. > > This is a probe, and from the probe we can

Re: Is my server mail account being attacted?

Yes, I did not advertise AUTH in my port 25 smtpd too. when telnet to my mail server, it produce like: telnet 108.61.110.110 25 Trying 108.61.110.110... Connected to example.com. Escape character is '^]'. 220 example ESMTP Postfix ehlo 501 Syntax: EHLO hostname ehlo mail

Re: Is my server mail account being attacted?

On 20 Oct 2016, at 16:39, Keith Williams wrote: No wait... What? This is no attack. Attack is when you try to break or enforce.. This is a probe, and from the probe we can deduce from the reported disconnect that 1. helo was tried, 2. no auth was attempted and 3, quit was used. So a test

Re: Is my server mail account being attacted?

On 18 Oct 2016, at 21:00, vod vos wrote: So, how to block this kind of ips? Does fail2ban work? Yes, but as Sebastian said, it is possible for fail2ban to block innocent users, particularly those SSL errors, which essentially amount to connections that were never fully initiated. That's

Re: Is my server mail account being attacted?

No wait... What? This is no attack. Attack is when you try to break or enforce.. This is a probe, and from the probe we can deduce from the reported disconnect that 1. helo was tried, 2. no auth was attempted and 3, quit was used. So a test for helo and quit? and no auth. Someone is testing

Re: Is my server mail account being attacted?

On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: Looks rather like a scanning attack (finding vulnerabilities). I think they are trying to do a SSL type of attack like HEARTBLEED but your server isn't vulnerable. Looks also like they are sending HTTP requests (encapsulated in SSL/TLS) to a

Re: Is my server mail account being attacted?

On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote: Its clear from the log, the attacker isn't even attemping to authenticate (0 attempts). The attacker hasn't propably not even realized he is connecting to a mail server. No. There's a jumble there, but at least one is a lame "attack" of a

Re: Is my server mail account being attacted?

No, fail2ban would also block legitimate users where the user may have flaky connection and doing one or more connections and not authenticating. The SSL attempts for http could be blocked with fail2ban. The other SSL attempts attempting to negotiate a old version, may block legitimate users

Re: Is my server mail account being attacted?

So, how to block this kind of ips? Does fail2ban work? On 星期二, 18 十月 2016 17:45:01 -0700Sebastian Nielsen sebast...@sebbe.eu wrote Looks rather like a scanning attack (finding vulnerabilities). I think they are trying to do a SSL type of attack like HEARTBLEED but your

Re: Is my server mail account being attacted?

Looks rather like a scanning attack (finding vulnerabilities). I think they are trying to do a SSL type of attack like HEARTBLEED but your server isn't vulnerable. Looks also like they are sending HTTP requests (encapsulated in SSL/TLS) to a mail server, which seems to be a extremely stupid bot

Is my server mail account being attacted?

routines:ssl3_get_client_hello:wrong version number Oct 19 08:05:02 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=, rip=208.100.26.231, lip=108.61.110.110, TLS handshaking: SSL_accept() failed: Unknown error, session=xgCIjyw/XMvQZBrn Is my server mail account being attacted? And how to ban