Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Remo Mattei
Use mod_security for httpd super used for years now. Il giorno 29 dic 2017, alle ore 11:48, Remo Mattei ha scritto: Iptables Here is my rules /etc/firewalld/direct.xml -p tcp --dport 25 -m state --state NEW -m recent --set -p tcp --dport 25 -m state --state NEW -m

RE: [qmailtoaster] Fail2ban for Squirrelmail.

2017-12-29 Thread Dan McAllister - QMT DNS Admin
My understanding of SquirrelMail is old (limited) because so many of my users prefer the RoundCube (I offer both)... You get 1 if you go to mail.domain and the other if you go to webmail.domain In any case, I will have to look but I thought SM didn't write system logs when users failed on

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Remo Mattei
Iptables Here is my rules /etc/firewalld/direct.xml -p tcp --dport 25 -m state --state NEW -m recent --set -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 4 -j REJECT --reject-w ith tcp-reset -p tcp --dport 25 -m state --state NEW -m recent --update

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Eric Broch
Hi Peter, I have the stock fail2ban configuration set up for qmailtoaster and have never changed it. I just know that it is POSSIBLE with fail2ban to do DOS attack configuration. For http this is one . One

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Peter Peltonen
Never worked with fail2ban before. Care to share your config for qmailtoaster? On Fri, Dec 29, 2017 at 8:56 PM, Eric Broch wrote: > Hi Tony, > > I see this more than I'd like. Sometimes I hear my server cranking away > and upon investigation one day (tail -f

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Eric Broch
Hi Tony, I see this more than I'd like. Sometimes I hear my server cranking away and upon investigation one day (tail -f /var/log/qmail/smtp/current) found connects and immediate disconnects being perpetrated from the same IP address scrolling across the terminal for as long as I cared to watch,

[qmailtoaster] Fail2ban for Squirrelmail.

2017-12-29 Thread CarlC Internet Services Service Desk
Dan, I have it working showing the IP address: In /etc/fail2ban/jail.conf: # squirrelmail [squirrelmail-iptables] enabled = true filter = squirrelmail action = iptables[name=SquirrelMail, port=http, protocol=tcp] sendmail-squirrelmail[name=SquirrelMail,dest=ab...@carlc.com,

RE: [qmailtoaster] connection issues again.

2017-12-29 Thread Dan McAllister - QMT DNS Admin
Indeed: my systems use fail2ban on both smtp-auth and imap-auth (which is how both squirrelmail and roundcube authenticate) -- the only issue is that you have to whitelist/exclude from the test the SquirrelMail server itself (127.0.0.1 usually). I am not aware of (and would love to get info

RE: [qmailtoaster] connection issues again.

2017-12-29 Thread CarlC Internet Services Service Desk
Would FAIL2BAN be an ideal setup here? I use it to control the attacks [example: more than 10 failed logins in 1 day, your banned for "X" hours]. Fail2ban also works with the SquirrelMail, Roundcube, etc... I have it setup on SMTP, SMTPS, SUBMISSION, POP3s and IMAPs. You can also use FAIL2BAN

AW: [qmailtoaster] connection issues again.

2017-12-29 Thread A. Galatis
Hi Tony, i have a script counting authentification errors from ip-addresses. If an address appears more then my threshhold it is blocked vi iptables. The log where I count ist he usual maillog. Andreas -Ursprüngliche Nachricht- Von: jin [mailto:jinhit...@gmail.com] Gesendet: Freitag,

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread jin
Hi Remo Are using some kind of autonomous app/scrpt to block them ? If so, what kind of app/script are you using for drop them ? On 29 Dec 2017 5:19 p.m., "Remo Mattei" wrote: > Yes I created some rules based on connection time like 30 sec 5 min 30 min > etc. Dropped them. > >

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Remo Mattei
Yes I created some rules based on connection time like 30 sec 5 min 30 min etc. Dropped them. Il giorno 29 dic 2017, alle ore 06:07, Solo ha scritto: Hi Tony. Yes I see a lot - in my logs I think it's those spammers that tries to connect to Your server using a lot of

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Solo
Hi Tony. Yes I see a lot - in my logs I think it's those spammers that tries to connect to Your server using a lot of different names and end up getting refused by vpopmail - se my logwatch file below (all ip addresses match log entries in maillog and vpopmail) - vpopmail

[qmailtoaster] connection issues again.

2017-12-29 Thread Tony White
Hi folks,   Is anyone else seeing a single ip connecting hundreds even thousands of times but never sending any mail? I end up blocking these using iptables but I do not understand why it is happening. TIA Example 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100 2017-12-30