Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Remo Mattei 
Use mod_security for httpd super used for years now. 

Il giorno 29 dic 2017, alle ore 11:48, Remo Mattei  ha scritto:

Iptables 

Here is my rules /etc/firewalld/direct.xml



 -p tcp 
--dport 25 -m state --state NEW -m recent --set
 -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 4 -j 
REJECT --reject-w
ith tcp-reset
 -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 7 -j 
REJECT --reject-w
ith tcp-reset
 -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 200 --hitcount 15 
-j REJECT --reject
-with tcp-reset
 -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 2000 --hitcount 35 
-j REJECT --rejec
t-with tcp-reset
 -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 2 --hitcount 
120 -j REJECT --rej
ect-with tcp-reset




> On Dec 29, 2017, at 5:40 AM, Tony White  wrote:
> 
> Hi folks,
>  Is anyone else seeing a single ip connecting hundreds even thousands
> of times but never sending any mail? I end up blocking these using iptables
> but I do not understand why it is happening.
> 
> TIA
> 
> Example
> 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
> 2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
> 2017-12-30 00:31:31.653820500 tcpserver: ok 31242 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
> 2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
> 2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
> 2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
> 2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
> 2017-12-30 00:31:32.872611500 tcpserver: ok 31246 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
> 2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
> 2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
> 2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
> 2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
> 2017-12-30 00:31:34.375056500 tcpserver: ok 31248 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
> 2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
> 2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
> 2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
> 2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
> 2017-12-30 00:31:35.717508500 tcpserver: ok 31252 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
> 2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
> 2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
> 2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
> 2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
> 2017-12-30 00:31:37.007983500 tcpserver: ok 31254 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
> 2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
> 2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
> 2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
> 2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
> 2017-12-30 00:31:38.215296500 tcpserver: ok 31259 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
> 2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
> 2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
> 2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
> 2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
> 2017-12-30 00:31:39.433357500 tcpserver: ok 31261 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
> 2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
> 2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
> 2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
> 2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
> 2017-12-30 00:31:40.615766500 tcpserver: ok 31271 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
> 2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
> 2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
> 2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
> 2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
> 2017-12-30 00:31:41.873371500 tcpserver: ok 31273 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
> 2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
> 2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
> 2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
> 2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
> 2017-12-30 00:31:43.135794500 tcpserver: ok 31277 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093
> 2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0
> 2017-12-30 00:31:44.067443500 tcpserver: status: 1/100
> 2017-12-30 00:31:44.362100500 tcpserver: status: 2/100
> 2017-12-30 00:31:44.362188500 tcpserver: pid 31282 from 114.229.162.93
> 2017-12-30

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Remo Mattei 
Iptables 

Here is my rules /etc/firewalld/direct.xml



  -p tcp 
--dport 25 -m state --state NEW -m recent --set
  -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 4 -j 
REJECT --reject-w
ith tcp-reset
  -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 7 -j 
REJECT --reject-w
ith tcp-reset
  -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 200 --hitcount 15 
-j REJECT --reject
-with tcp-reset
  -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 2000 --hitcount 35 
-j REJECT --rejec
t-with tcp-reset
  -p tcp 
--dport 25 -m state --state NEW -m recent --update --seconds 2 --hitcount 
120 -j REJECT --rej
ect-with tcp-reset




> On Dec 29, 2017, at 5:40 AM, Tony White  wrote:
> 
> Hi folks,
>   Is anyone else seeing a single ip connecting hundreds even thousands
> of times but never sending any mail? I end up blocking these using iptables
> but I do not understand why it is happening.
> 
> TIA
> 
> Example
> 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
> 2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
> 2017-12-30 00:31:31.653820500 tcpserver: ok 31242 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
> 2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
> 2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
> 2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
> 2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
> 2017-12-30 00:31:32.872611500 tcpserver: ok 31246 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
> 2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
> 2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
> 2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
> 2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
> 2017-12-30 00:31:34.375056500 tcpserver: ok 31248 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
> 2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
> 2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
> 2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
> 2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
> 2017-12-30 00:31:35.717508500 tcpserver: ok 31252 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
> 2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
> 2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
> 2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
> 2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
> 2017-12-30 00:31:37.007983500 tcpserver: ok 31254 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
> 2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
> 2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
> 2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
> 2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
> 2017-12-30 00:31:38.215296500 tcpserver: ok 31259 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
> 2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
> 2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
> 2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
> 2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
> 2017-12-30 00:31:39.433357500 tcpserver: ok 31261 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
> 2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
> 2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
> 2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
> 2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
> 2017-12-30 00:31:40.615766500 tcpserver: ok 31271 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
> 2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
> 2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
> 2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
> 2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
> 2017-12-30 00:31:41.873371500 tcpserver: ok 31273 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
> 2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
> 2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
> 2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
> 2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
> 2017-12-30 00:31:43.135794500 tcpserver: ok 31277 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093
> 2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0
> 2017-12-30 00:31:44.067443500 tcpserver: status: 1/100
> 2017-12-30 00:31:44.362100500 tcpserver: status: 2/100
> 2017-12-30 00:31:44.362188500 tcpserver: pid 31282 from 114.229.162.93
> 2017-12-30 00:31:44.362231500 tcpserver: ok 31282 
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63184
> 2017-12-30 00:31:45.274625500

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Eric Broch 

Hi Peter,

I have the stock fail2ban configuration set up for qmailtoaster and have 
never changed it. I just know that it is POSSIBLE with fail2ban to do 
DOS attack configuration. For http this is one 
. 
One must come up with a REGEX expression for the SMTP log in qmail, but 
I haven't done it, maybe someone on the list has???


Here is a link 
 that shows 
CentOS7 DDOS attack prevention in the kernel settings and farther down 
in the page IPTABLES DDOS rules.


Eric


On 12/29/2017 11:58 AM, Peter Peltonen wrote:

Never worked with fail2ban before. Care to share your config for qmailtoaster?

On Fri, Dec 29, 2017 at 8:56 PM, Eric Broch  wrote:

Hi Tony,

I see this more than I'd like. Sometimes I hear my server cranking away
and upon investigation one day (tail -f /var/log/qmail/smtp/current)
found connects and immediate disconnects being perpetrated from the same
IP address scrolling across the terminal for as long as I cared to
watch, 45 minutes or so, and then continued to hear my server cranking
away until I left the room. I've tried banning them in my external
firewall but I think the better approach is to use either IP tables or
fail2ban DOS. I don't want to wait for authentication (the stock
fail2ban setup for qmailtoaster) before dropping the IP but want anyone
who connects even without trying to authenticate to be banned after so
many attempts within a certain time frame. Fail2ban and IP Tables have
these options.

Eric



On 12/29/2017 6:40 AM, Tony White wrote:

Hi folks,
   Is anyone else seeing a single ip connecting hundreds even thousands
of times but never sending any mail? I end up blocking these using
iptables
but I do not understand why it is happening.

TIA

Example
2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
2017-12-30 00:31:31.653820500 tcpserver: ok 31242
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
2017-12-30 00:31:32.872611500 tcpserver: ok 31246
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
2017-12-30 00:31:34.375056500 tcpserver: ok 31248
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
2017-12-30 00:31:35.717508500 tcpserver: ok 31252
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
2017-12-30 00:31:37.007983500 tcpserver: ok 31254
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
2017-12-30 00:31:38.215296500 tcpserver: ok 31259
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
2017-12-30 00:31:39.433357500 tcpserver: ok 31261
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
2017-12-30 00:31:40.615766500 tcpserver: ok 31271
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
2017-12-30 00:31:41.873371500 tcpserver: ok 31273
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
2017-12-30 00:31:42.828193500 tcpserver:

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Peter Peltonen 
Never worked with fail2ban before. Care to share your config for qmailtoaster?

On Fri, Dec 29, 2017 at 8:56 PM, Eric Broch  wrote:
> Hi Tony,
>
> I see this more than I'd like. Sometimes I hear my server cranking away
> and upon investigation one day (tail -f /var/log/qmail/smtp/current)
> found connects and immediate disconnects being perpetrated from the same
> IP address scrolling across the terminal for as long as I cared to
> watch, 45 minutes or so, and then continued to hear my server cranking
> away until I left the room. I've tried banning them in my external
> firewall but I think the better approach is to use either IP tables or
> fail2ban DOS. I don't want to wait for authentication (the stock
> fail2ban setup for qmailtoaster) before dropping the IP but want anyone
> who connects even without trying to authenticate to be banned after so
> many attempts within a certain time frame. Fail2ban and IP Tables have
> these options.
>
> Eric
>
>
>
> On 12/29/2017 6:40 AM, Tony White wrote:
>>
>> Hi folks,
>>   Is anyone else seeing a single ip connecting hundreds even thousands
>> of times but never sending any mail? I end up blocking these using
>> iptables
>> but I do not understand why it is happening.
>>
>> TIA
>>
>> Example
>> 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
>> 2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
>> 2017-12-30 00:31:31.653820500 tcpserver: ok 31242
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
>> 2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
>> 2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
>> 2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
>> 2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
>> 2017-12-30 00:31:32.872611500 tcpserver: ok 31246
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
>> 2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
>> 2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
>> 2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
>> 2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
>> 2017-12-30 00:31:34.375056500 tcpserver: ok 31248
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
>> 2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
>> 2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
>> 2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
>> 2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
>> 2017-12-30 00:31:35.717508500 tcpserver: ok 31252
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
>> 2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
>> 2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
>> 2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
>> 2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
>> 2017-12-30 00:31:37.007983500 tcpserver: ok 31254
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
>> 2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
>> 2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
>> 2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
>> 2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
>> 2017-12-30 00:31:38.215296500 tcpserver: ok 31259
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
>> 2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
>> 2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
>> 2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
>> 2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
>> 2017-12-30 00:31:39.433357500 tcpserver: ok 31261
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
>> 2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
>> 2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
>> 2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
>> 2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
>> 2017-12-30 00:31:40.615766500 tcpserver: ok 31271
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
>> 2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
>> 2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
>> 2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
>> 2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
>> 2017-12-30 00:31:41.873371500 tcpserver: ok 31273
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
>> 2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
>> 2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
>> 2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
>> 2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
>> 2017-12-30 00:31:43.135794500 tcpserver: ok 31277
>> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093
>> 2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0
>> 2017-12-30 00:31:44.067443500 tcpserver: status:

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Eric Broch 

Hi Tony,

I see this more than I'd like. Sometimes I hear my server cranking away
and upon investigation one day (tail -f /var/log/qmail/smtp/current)
found connects and immediate disconnects being perpetrated from the same
IP address scrolling across the terminal for as long as I cared to
watch, 45 minutes or so, and then continued to hear my server cranking
away until I left the room. I've tried banning them in my external
firewall but I think the better approach is to use either IP tables or
fail2ban DOS. I don't want to wait for authentication (the stock
fail2ban setup for qmailtoaster) before dropping the IP but want anyone
who connects even without trying to authenticate to be banned after so
many attempts within a certain time frame. Fail2ban and IP Tables have
these options.

Eric


On 12/29/2017 6:40 AM, Tony White wrote:

Hi folks,
  Is anyone else seeing a single ip connecting hundreds even thousands
of times but never sending any mail? I end up blocking these using 
iptables

but I do not understand why it is happening.

TIA

Example
2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
2017-12-30 00:31:31.653820500 tcpserver: ok 31242 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277

2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
2017-12-30 00:31:32.872611500 tcpserver: ok 31246 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369

2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
2017-12-30 00:31:34.375056500 tcpserver: ok 31248 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461

2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
2017-12-30 00:31:35.717508500 tcpserver: ok 31252 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563

2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
2017-12-30 00:31:37.007983500 tcpserver: ok 31254 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637

2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
2017-12-30 00:31:38.215296500 tcpserver: ok 31259 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738

2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
2017-12-30 00:31:39.433357500 tcpserver: ok 31261 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831

2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
2017-12-30 00:31:40.615766500 tcpserver: ok 31271 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924

2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
2017-12-30 00:31:41.873371500 tcpserver: ok 31273 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007

2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
2017-12-30 00:31:43.135794500 tcpserver: ok 31277 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093

2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0
2017-12-30 00:31:44.067443500 tcpserver: status: 1/100
2017-12-30 00:31:44.362100500 tcpserver: status: 2/100
2017-12-30 00:31:44.362188500 tcpserver: pid 31282 from 114.229.162.93
2017-12-30 00:31:44.362231500 tcpserver: ok 31282 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63184

2017-12-30 00:31:45.274625500 tcpserver: end 31282 status 0
2017-12-30 00:31:45.274626500 tcpserver: status: 1/100
2017-12-30

RE: [qmailtoaster] connection issues again.

2017-12-29 Thread Dan McAllister - QMT DNS Admin 
Indeed: my systems use fail2ban on both smtp-auth and imap-auth (which is how 
both squirrelmail and roundcube authenticate) -- the only issue is that you 
have to whitelist/exclude from the test the SquirrelMail server itself 
(127.0.0.1 usually).

I am not aware of (and would love to get info on) detecting the SOURCE IP out 
of squirrelmail or roundcube so I can block the ORIGIN IP for systems attacking 
thru the webserver.

Thanks

Dan



-Original Message-
From: CarlC Internet Services Service Desk [mailto:ab...@carlc.com] 
Sent: Friday, December 29, 2017 10:57 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: RE: [qmailtoaster] connection issues again.

Would FAIL2BAN be an ideal setup here? I use it to control the attacks 
[example: more than 10 failed logins in 1 day, your banned for "X" hours].

Fail2ban also works with the SquirrelMail, Roundcube, etc... I have it setup on 
SMTP, SMTPS, SUBMISSION, POP3s and IMAPs. You can also use FAIL2BAN for SSH and 
ftp. The part I like, you can have fail2ban to send you an email that looks 
like this:

example

The IP 202.62.224.40 has just been banned by Fail2Ban after
10 attempts against pop3.


Lines containing IP:202.62.224.40 in /var/log/maillog

Dec 28 21:49:59 mail7 spamdyke[978]: DENIED_RELAYING from: x...@tea.com to: 
eax...@yahoo.com origin_ip: 202.62.224.40 origin_rdns: solar.ortel.net auth: 
(unknown) encryption: (none) reason: (empty) Dec 28 21:50:24 mail7 
vpopmail[1202]: vchkpw-smtp: null password given Newsletter:202.62.224.40 Dec 
28 21:51:11 mail7 vpopmail[1263]: vchkpw-smtp: null password given 
Company:202.62.224.40 Dec 28 21:51:46 mail7 vpopmail[1324]: vchkpw-smtp: null 
password given root:202.62.224.40 Dec 28 21:52:58 mail7 vpopmail[1451]: 
vchkpw-smtp: null password given temp:202.62.224.40 Dec 28 21:53:18 mail7 
vpopmail[1492]: vchkpw-smtp: null password given Test:202.62.224.40 Dec 28 
21:54:22 mail7 vpopmail[1577]: vchkpw-smtp: null password given 
abuse:202.62.224.40 Dec 28 21:54:42 mail7 vpopmail[1598]: vchkpw-smtp: null 
password given MYSQL:202.62.224.40 Dec 28 21:55:16 mail7 vpopmail[1804]: 
vchkpw-smtp: null password given office:202.62.224.40 Dec 28 21:55:44 mail7 
vpopmail[1844]: vchkpw-smtp: vpopmail user not found customer@:202.62.224.40 
Dec 28 21:56:07 mail7 vpopmail[1870]: vchkpw-smtp: vpopmail user not found 
company@:202.62.224.40 Dec 28 21:56:50 mail7 vpopmail[1920]: vchkpw-smtp: 
vpopmail user not found testing@:202.62.224.40 Dec 28 21:57:19 mail7 
vpopmail[1961]: vchkpw-smtp: vpopmail user not found temp@:202.62.224.40 Dec 28 
21:57:39 mail7 vpopmail[1991]: vchkpw-smtp: vpopmail user not found 
test@:202.62.224.40 Dec 28 21:59:11 mail7 vpopmail[2288]: vchkpw-smtp: vpopmail 
user not found newsletter@:202.62.224.40 Dec 28 21:59:37 mail7 vpopmail[2473]: 
vchkpw-smtp: vpopmail user not found customer@:202.62.224.40 Dec 28 22:00:05 
mail7 vpopmail[2826]: vchkpw-smtp: vpopmail user not found 
company@:202.62.224.40 Dec 28 22:00:49 mail7 vpopmail[2888]: vchkpw-smtp: 
vpopmail user not found testing@:202.62.224.40 Dec 28 22:01:05 mail7 
vpopmail[2919]: vchkpw-smtp: vpopmail user not found postmaster@:202.62.224.40

end example

If needed, I can post a few fail2ban scripts but I'm pretty sure they are 
available on the web for qmail if you search for them.

Carl

-Original Message-
From: A. Galatis [mailto:a...@unet.de]
Sent: Friday, December 29, 2017 10:25 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: AW: [qmailtoaster] connection issues again.

Hi Tony,

i have a script counting authentification errors from ip-addresses.
If an address appears more then my threshhold it is blocked vi iptables.
The log where I count ist he usual maillog.

Andreas

-Ursprüngliche Nachricht-
Von: jin [mailto:jinhit...@gmail.com]
Gesendet: Freitag, 29. Dezember 2017 15:59
An: qmailtoaster-list@qmailtoaster.com
Betreff: Re: [qmailtoaster] connection issues again.

Hi Remo
Are using some kind of autonomous app/scrpt to block them ? If  so, what kind 
of app/script are you using for drop them ?

On 29 Dec 2017 5:19 p.m., "Remo Mattei" <r...@mattei.org> wrote:


Yes I created some rules based on connection time like 30 sec 5 min 30 
min etc. Dropped them.

Il giorno 29 dic 2017, alle ore 06:07, Solo <s...@privat.dk> ha scritto:

Hi Tony.

Yes I see a lot - in my logs I think it's those spammers that tries to
connect to Your server using a lot of different names and end up getting
refused by vpopmail - se my logwatch file below (all ip addresses match
log entries in maillog and vpopmail)

- vpopmail Begin 


No Such User Found:
   4f3c5634.2010906@ - 1 Time(s)
   abc@ - 1 Time(s)
   ada@ - 1 Time(s)
   agenda@ - 1 Time(s)
   am@ - 1 Time(

RE: [qmailtoaster] connection issues again.

2017-12-29 Thread CarlC Internet Services Service Desk 
Would FAIL2BAN be an ideal setup here? I use it to control the attacks 
[example: more than 10 failed logins in 1 day, your banned for "X" hours].

Fail2ban also works with the SquirrelMail, Roundcube, etc... I have it setup on 
SMTP, SMTPS, SUBMISSION, POP3s and IMAPs. You can also use FAIL2BAN for SSH and 
ftp. The part I like, you can have fail2ban to send you an email that looks 
like this:

example

The IP 202.62.224.40 has just been banned by Fail2Ban after
10 attempts against pop3.


Lines containing IP:202.62.224.40 in /var/log/maillog

Dec 28 21:49:59 mail7 spamdyke[978]: DENIED_RELAYING from: x...@tea.com to: 
eax...@yahoo.com origin_ip: 202.62.224.40 origin_rdns: solar.ortel.net auth: 
(unknown) encryption: (none) reason: (empty)
Dec 28 21:50:24 mail7 vpopmail[1202]: vchkpw-smtp: null password given 
Newsletter:202.62.224.40
Dec 28 21:51:11 mail7 vpopmail[1263]: vchkpw-smtp: null password given 
Company:202.62.224.40
Dec 28 21:51:46 mail7 vpopmail[1324]: vchkpw-smtp: null password given 
root:202.62.224.40
Dec 28 21:52:58 mail7 vpopmail[1451]: vchkpw-smtp: null password given 
temp:202.62.224.40
Dec 28 21:53:18 mail7 vpopmail[1492]: vchkpw-smtp: null password given 
Test:202.62.224.40
Dec 28 21:54:22 mail7 vpopmail[1577]: vchkpw-smtp: null password given 
abuse:202.62.224.40
Dec 28 21:54:42 mail7 vpopmail[1598]: vchkpw-smtp: null password given 
MYSQL:202.62.224.40
Dec 28 21:55:16 mail7 vpopmail[1804]: vchkpw-smtp: null password given 
office:202.62.224.40
Dec 28 21:55:44 mail7 vpopmail[1844]: vchkpw-smtp: vpopmail user not found 
customer@:202.62.224.40
Dec 28 21:56:07 mail7 vpopmail[1870]: vchkpw-smtp: vpopmail user not found 
company@:202.62.224.40
Dec 28 21:56:50 mail7 vpopmail[1920]: vchkpw-smtp: vpopmail user not found 
testing@:202.62.224.40
Dec 28 21:57:19 mail7 vpopmail[1961]: vchkpw-smtp: vpopmail user not found 
temp@:202.62.224.40
Dec 28 21:57:39 mail7 vpopmail[1991]: vchkpw-smtp: vpopmail user not found 
test@:202.62.224.40
Dec 28 21:59:11 mail7 vpopmail[2288]: vchkpw-smtp: vpopmail user not found 
newsletter@:202.62.224.40
Dec 28 21:59:37 mail7 vpopmail[2473]: vchkpw-smtp: vpopmail user not found 
customer@:202.62.224.40
Dec 28 22:00:05 mail7 vpopmail[2826]: vchkpw-smtp: vpopmail user not found 
company@:202.62.224.40
Dec 28 22:00:49 mail7 vpopmail[2888]: vchkpw-smtp: vpopmail user not found 
testing@:202.62.224.40
Dec 28 22:01:05 mail7 vpopmail[2919]: vchkpw-smtp: vpopmail user not found 
postmaster@:202.62.224.40

end example

If needed, I can post a few fail2ban scripts but I'm pretty sure they are 
available on the web for qmail if you search for them.

Carl

-Original Message-
From: A. Galatis [mailto:a...@unet.de] 
Sent: Friday, December 29, 2017 10:25 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: AW: [qmailtoaster] connection issues again.

Hi Tony,

i have a script counting authentification errors from ip-addresses.
If an address appears more then my threshhold it is blocked vi iptables.
The log where I count ist he usual maillog.

Andreas

-Ursprüngliche Nachricht-
Von: jin [mailto:jinhit...@gmail.com] 
Gesendet: Freitag, 29. Dezember 2017 15:59
An: qmailtoaster-list@qmailtoaster.com
Betreff: Re: [qmailtoaster] connection issues again.

Hi Remo
Are using some kind of autonomous app/scrpt to block them ? If  so, what kind 
of app/script are you using for drop them ?

On 29 Dec 2017 5:19 p.m., "Remo Mattei" <r...@mattei.org> wrote:


Yes I created some rules based on connection time like 30 sec 5 min 30 
min etc. Dropped them.

Il giorno 29 dic 2017, alle ore 06:07, Solo <s...@privat.dk> ha scritto:

Hi Tony.

Yes I see a lot - in my logs I think it's those spammers that tries to
connect to Your server using a lot of different names and end up getting
refused by vpopmail - se my logwatch file below (all ip addresses match
log entries in maillog and vpopmail)

- vpopmail Begin 


No Such User Found:
   4f3c5634.2010906@ - 1 Time(s)
   abc@ - 1 Time(s)
   ada@ - 1 Time(s)
   agenda@ - 1 Time(s)
   am@ - 1 Time(s)
   benson@ - 1 Time(s)
   biblioteca@ - 1 Time(s)
   caja@ - 1 Time(s)
   careers@ - 1 Time(s)

and so on

they time out usually.

Others!  correct if I'm wrong...

Regards,
Finn Von B

> Den 29-12-2017 kl. 14:40 skrev Tony White:
> Hi folks,
>   Is anyone else seeing a single ip connecting hundreds even thousands
> of times but never sending any mail? I end up blocking these using 
iptables
> but I do not understand why it is happening.
>
> TIA
>
> Example

AW: [qmailtoaster] connection issues again.

2017-12-29 Thread A. Galatis 
Hi Tony,

i have a script counting authentification errors from ip-addresses.
If an address appears more then my threshhold it is blocked vi iptables.
The log where I count ist he usual maillog.

Andreas

-Ursprüngliche Nachricht-
Von: jin [mailto:jinhit...@gmail.com] 
Gesendet: Freitag, 29. Dezember 2017 15:59
An: qmailtoaster-list@qmailtoaster.com
Betreff: Re: [qmailtoaster] connection issues again.

Hi Remo
Are using some kind of autonomous app/scrpt to block them ? If  so, what kind 
of app/script are you using for drop them ?

On 29 Dec 2017 5:19 p.m., "Remo Mattei" <r...@mattei.org> wrote:


Yes I created some rules based on connection time like 30 sec 5 min 30 
min etc. Dropped them.

Il giorno 29 dic 2017, alle ore 06:07, Solo <s...@privat.dk> ha scritto:

Hi Tony.

Yes I see a lot - in my logs I think it's those spammers that tries to
connect to Your server using a lot of different names and end up getting
refused by vpopmail - se my logwatch file below (all ip addresses match
log entries in maillog and vpopmail)

- vpopmail Begin 


No Such User Found:
   4f3c5634.2010906@ - 1 Time(s)
   abc@ - 1 Time(s)
   ada@ - 1 Time(s)
   agenda@ - 1 Time(s)
   am@ - 1 Time(s)
   benson@ - 1 Time(s)
   biblioteca@ - 1 Time(s)
   caja@ - 1 Time(s)
   careers@ - 1 Time(s)

and so on

they time out usually.

Others!  correct if I'm wrong...

Regards,
Finn Von B

> Den 29-12-2017 kl. 14:40 skrev Tony White:
> Hi folks,
>   Is anyone else seeing a single ip connecting hundreds even thousands
> of times but never sending any mail? I end up blocking these using 
iptables
> but I do not understand why it is happening.
>
> TIA
>
> Example
> 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
> 2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
> 2017-12-30 00:31:31.653820500 tcpserver: ok 31242
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
> 2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
> 2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
> 2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
> 2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
> 2017-12-30 00:31:32.872611500 tcpserver: ok 31246
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
> 2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
> 2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
> 2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
> 2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
> 2017-12-30 00:31:34.375056500 tcpserver: ok 31248
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
> 2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
> 2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
> 2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
> 2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
> 2017-12-30 00:31:35.717508500 tcpserver: ok 31252
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
> 2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
> 2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
> 2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
> 2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
> 2017-12-30 00:31:37.007983500 tcpserver: ok 31254
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
> 2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
> 2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
> 2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
> 2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
> 2017-12-30 00:31:38.215296500 tcpserver: ok 31259
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
> 2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
> 2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
> 2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
> 2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
> 2017-12-30 00:31:39.433357500 tcpserver: ok 31261
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread jin 
Hi Remo
Are using some kind of autonomous app/scrpt to block them ? If  so, what
kind of app/script are you using for drop them ?

On 29 Dec 2017 5:19 p.m., "Remo Mattei"  wrote:

> Yes I created some rules based on connection time like 30 sec 5 min 30 min
> etc. Dropped them.
>
> Il giorno 29 dic 2017, alle ore 06:07, Solo  ha scritto:
>
> Hi Tony.
>
> Yes I see a lot - in my logs I think it's those spammers that tries to
> connect to Your server using a lot of different names and end up getting
> refused by vpopmail - se my logwatch file below (all ip addresses match
> log entries in maillog and vpopmail)
>
> - vpopmail Begin 
>
>
> No Such User Found:
>4f3c5634.2010906@ - 1 Time(s)
>abc@ - 1 Time(s)
>ada@ - 1 Time(s)
>agenda@ - 1 Time(s)
>am@ - 1 Time(s)
>benson@ - 1 Time(s)
>biblioteca@ - 1 Time(s)
>caja@ - 1 Time(s)
>careers@ - 1 Time(s)
>
> and so on
>
> they time out usually.
>
> Others!  correct if I'm wrong...
>
> Regards,
> Finn Von B
>
> > Den 29-12-2017 kl. 14:40 skrev Tony White:
> > Hi folks,
> >   Is anyone else seeing a single ip connecting hundreds even thousands
> > of times but never sending any mail? I end up blocking these using
> iptables
> > but I do not understand why it is happening.
> >
> > TIA
> >
> > Example
> > 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
> > 2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
> > 2017-12-30 00:31:31.653820500 tcpserver: ok 31242
> > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
> > 2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
> > 2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
> > 2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
> > 2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
> > 2017-12-30 00:31:32.872611500 tcpserver: ok 31246
> > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
> > 2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
> > 2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
> > 2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
> > 2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
> > 2017-12-30 00:31:34.375056500 tcpserver: ok 31248
> > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
> > 2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
> > 2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
> > 2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
> > 2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
> > 2017-12-30 00:31:35.717508500 tcpserver: ok 31252
> > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
> > 2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
> > 2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
> > 2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
> > 2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
> > 2017-12-30 00:31:37.007983500 tcpserver: ok 31254
> > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
> > 2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
> > 2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
> > 2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
> > 2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
> > 2017-12-30 00:31:38.215296500 tcpserver: ok 31259
> > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
> > 2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
> > 2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
> > 2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
> > 2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
> > 2017-12-30 00:31:39.433357500 tcpserver: ok 31261
> > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
> > 2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
> > 2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
> > 2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
> > 2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
> > 2017-12-30 00:31:40.615766500 tcpserver: ok 31271
> > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
> > 2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
> > 2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
> > 2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
> > 2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
> > 2017-12-30 00:31:41.873371500 tcpserver: ok 31273
> > indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
> > 2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
> > 2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
> > 2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
> > 2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
> > 2017-12-30 00:31:43.135794500 tcpserver: ok 31277
> >

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Remo Mattei 
Yes I created some rules based on connection time like 30 sec 5 min 30 min etc. 
Dropped them. 

Il giorno 29 dic 2017, alle ore 06:07, Solo  ha scritto:

Hi Tony.

Yes I see a lot - in my logs I think it's those spammers that tries to
connect to Your server using a lot of different names and end up getting
refused by vpopmail - se my logwatch file below (all ip addresses match
log entries in maillog and vpopmail)

- vpopmail Begin 


No Such User Found:
   4f3c5634.2010906@ - 1 Time(s)
   abc@ - 1 Time(s)
   ada@ - 1 Time(s)
   agenda@ - 1 Time(s)
   am@ - 1 Time(s)
   benson@ - 1 Time(s)
   biblioteca@ - 1 Time(s)
   caja@ - 1 Time(s)
   careers@ - 1 Time(s)

and so on

they time out usually.

Others!  correct if I'm wrong...

Regards,
Finn Von B

> Den 29-12-2017 kl. 14:40 skrev Tony White:
> Hi folks,
>   Is anyone else seeing a single ip connecting hundreds even thousands
> of times but never sending any mail? I end up blocking these using iptables
> but I do not understand why it is happening.
> 
> TIA
> 
> Example
> 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
> 2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
> 2017-12-30 00:31:31.653820500 tcpserver: ok 31242
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
> 2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
> 2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
> 2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
> 2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
> 2017-12-30 00:31:32.872611500 tcpserver: ok 31246
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
> 2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
> 2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
> 2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
> 2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
> 2017-12-30 00:31:34.375056500 tcpserver: ok 31248
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
> 2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
> 2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
> 2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
> 2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
> 2017-12-30 00:31:35.717508500 tcpserver: ok 31252
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
> 2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
> 2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
> 2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
> 2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
> 2017-12-30 00:31:37.007983500 tcpserver: ok 31254
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
> 2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
> 2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
> 2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
> 2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
> 2017-12-30 00:31:38.215296500 tcpserver: ok 31259
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
> 2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
> 2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
> 2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
> 2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
> 2017-12-30 00:31:39.433357500 tcpserver: ok 31261
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
> 2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
> 2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
> 2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
> 2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
> 2017-12-30 00:31:40.615766500 tcpserver: ok 31271
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
> 2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
> 2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
> 2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
> 2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
> 2017-12-30 00:31:41.873371500 tcpserver: ok 31273
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
> 2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
> 2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
> 2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
> 2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
> 2017-12-30 00:31:43.135794500 tcpserver: ok 31277
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093
> 2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0
> 2017-12-30 00:31:44.067443500 tcpserver: status: 1/100
> 2017-12-30 00:31:44.362100500 tcpserver: status: 2/100
> 2017-12-30 00:31:44.362188500 tcpserver: pid 31282 from 114.229.162.93
> 2017-12-30 00:31:44.362231500 tcpserver: ok 31282
> indialau.bigpuddle.net:192.168.1.138:25

Re: [qmailtoaster] connection issues again.

2017-12-29 Thread Solo 
Hi Tony.

Yes I see a lot - in my logs I think it's those spammers that tries to
connect to Your server using a lot of different names and end up getting
 refused by vpopmail - se my logwatch file below (all ip addresses match
log entries in maillog and vpopmail)

- vpopmail Begin 


 No Such User Found:
4f3c5634.2010906@ - 1 Time(s)
abc@ - 1 Time(s)
ada@ - 1 Time(s)
agenda@ - 1 Time(s)
am@ - 1 Time(s)
benson@ - 1 Time(s)
biblioteca@ - 1 Time(s)
caja@ - 1 Time(s)
careers@ - 1 Time(s)

and so on

they time out usually.

Others!  correct if I'm wrong...

Regards,
Finn Von B

Den 29-12-2017 kl. 14:40 skrev Tony White:
> Hi folks,
>   Is anyone else seeing a single ip connecting hundreds even thousands
> of times but never sending any mail? I end up blocking these using iptables
> but I do not understand why it is happening.
> 
> TIA
> 
> Example
> 2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
> 2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
> 2017-12-30 00:31:31.653820500 tcpserver: ok 31242
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
> 2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
> 2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
> 2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
> 2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
> 2017-12-30 00:31:32.872611500 tcpserver: ok 31246
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
> 2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
> 2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
> 2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
> 2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
> 2017-12-30 00:31:34.375056500 tcpserver: ok 31248
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
> 2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
> 2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
> 2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
> 2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
> 2017-12-30 00:31:35.717508500 tcpserver: ok 31252
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
> 2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
> 2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
> 2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
> 2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
> 2017-12-30 00:31:37.007983500 tcpserver: ok 31254
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
> 2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
> 2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
> 2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
> 2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
> 2017-12-30 00:31:38.215296500 tcpserver: ok 31259
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
> 2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
> 2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
> 2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
> 2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
> 2017-12-30 00:31:39.433357500 tcpserver: ok 31261
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
> 2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
> 2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
> 2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
> 2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
> 2017-12-30 00:31:40.615766500 tcpserver: ok 31271
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
> 2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
> 2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
> 2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
> 2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
> 2017-12-30 00:31:41.873371500 tcpserver: ok 31273
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
> 2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
> 2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
> 2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
> 2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
> 2017-12-30 00:31:43.135794500 tcpserver: ok 31277
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093
> 2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0
> 2017-12-30 00:31:44.067443500 tcpserver: status: 1/100
> 2017-12-30 00:31:44.362100500 tcpserver: status: 2/100
> 2017-12-30 00:31:44.362188500 tcpserver: pid 31282 from 114.229.162.93
> 2017-12-30 00:31:44.362231500 tcpserver: ok 31282
> indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63184
> 2017-12-30 00:31:45.274625500 tcpserver: end 31282 status 0
> 2017-12-30 00:31:45.274626500 tcpserver: status: 1/100
>

[qmailtoaster] connection issues again.

2017-12-29 Thread Tony White 

Hi folks,
  Is anyone else seeing a single ip connecting hundreds even thousands
of times but never sending any mail? I end up blocking these using iptables
but I do not understand why it is happening.

TIA

Example
2017-12-30 00:31:31.653614500 tcpserver: status: 2/100
2017-12-30 00:31:31.653753500 tcpserver: pid 31242 from 114.229.162.93
2017-12-30 00:31:31.653820500 tcpserver: ok 31242 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62277
2017-12-30 00:31:32.581728500 tcpserver: end 31242 status 0
2017-12-30 00:31:32.581729500 tcpserver: status: 1/100
2017-12-30 00:31:32.872455500 tcpserver: status: 2/100
2017-12-30 00:31:32.872564500 tcpserver: pid 31246 from 114.229.162.93
2017-12-30 00:31:32.872611500 tcpserver: ok 31246 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62369
2017-12-30 00:31:33.862860500 tcpserver: end 31246 status 0
2017-12-30 00:31:33.862861500 tcpserver: status: 1/100
2017-12-30 00:31:34.375021500 tcpserver: status: 2/100
2017-12-30 00:31:34.375022500 tcpserver: pid 31248 from 114.229.162.93
2017-12-30 00:31:34.375056500 tcpserver: ok 31248 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62461
2017-12-30 00:31:35.326643500 tcpserver: end 31248 status 0
2017-12-30 00:31:35.326645500 tcpserver: status: 1/100
2017-12-30 00:31:35.717309500 tcpserver: status: 2/100
2017-12-30 00:31:35.717443500 tcpserver: pid 31252 from 114.229.162.93
2017-12-30 00:31:35.717508500 tcpserver: ok 31252 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62563
2017-12-30 00:31:36.657366500 tcpserver: end 31252 status 0
2017-12-30 00:31:36.657368500 tcpserver: status: 1/100
2017-12-30 00:31:37.007733500 tcpserver: status: 2/100
2017-12-30 00:31:37.007904500 tcpserver: pid 31254 from 114.229.162.93
2017-12-30 00:31:37.007983500 tcpserver: ok 31254 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62637
2017-12-30 00:31:37.914884500 tcpserver: end 31254 status 0
2017-12-30 00:31:37.914885500 tcpserver: status: 1/100
2017-12-30 00:31:38.215151500 tcpserver: status: 2/100
2017-12-30 00:31:38.215252500 tcpserver: pid 31259 from 114.229.162.93
2017-12-30 00:31:38.215296500 tcpserver: ok 31259 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62738
2017-12-30 00:31:39.110484500 tcpserver: end 31259 status 0
2017-12-30 00:31:39.110485500 tcpserver: status: 1/100
2017-12-30 00:31:39.433288500 tcpserver: status: 2/100
2017-12-30 00:31:39.433302500 tcpserver: pid 31261 from 114.229.162.93
2017-12-30 00:31:39.433357500 tcpserver: ok 31261 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62831
2017-12-30 00:31:40.316270500 tcpserver: end 31261 status 0
2017-12-30 00:31:40.316271500 tcpserver: status: 1/100
2017-12-30 00:31:40.615598500 tcpserver: status: 2/100
2017-12-30 00:31:40.615698500 tcpserver: pid 31271 from 114.229.162.93
2017-12-30 00:31:40.615766500 tcpserver: ok 31271 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::62924
2017-12-30 00:31:41.496972500 tcpserver: end 31271 status 0
2017-12-30 00:31:41.496973500 tcpserver: status: 1/100
2017-12-30 00:31:41.873223500 tcpserver: status: 2/100
2017-12-30 00:31:41.873326500 tcpserver: pid 31273 from 114.229.162.93
2017-12-30 00:31:41.873371500 tcpserver: ok 31273 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63007
2017-12-30 00:31:42.828193500 tcpserver: end 31273 status 0
2017-12-30 00:31:42.828194500 tcpserver: status: 1/100
2017-12-30 00:31:43.135644500 tcpserver: status: 2/100
2017-12-30 00:31:43.135749500 tcpserver: pid 31277 from 114.229.162.93
2017-12-30 00:31:43.135794500 tcpserver: ok 31277 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63093
2017-12-30 00:31:44.067442500 tcpserver: end 31277 status 0
2017-12-30 00:31:44.067443500 tcpserver: status: 1/100
2017-12-30 00:31:44.362100500 tcpserver: status: 2/100
2017-12-30 00:31:44.362188500 tcpserver: pid 31282 from 114.229.162.93
2017-12-30 00:31:44.362231500 tcpserver: ok 31282 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63184
2017-12-30 00:31:45.274625500 tcpserver: end 31282 status 0
2017-12-30 00:31:45.274626500 tcpserver: status: 1/100
2017-12-30 00:31:45.574491500 tcpserver: status: 2/100
2017-12-30 00:31:45.574579500 tcpserver: pid 31293 from 114.229.162.93
2017-12-30 00:31:45.574625500 tcpserver: ok 31293 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63270
2017-12-30 00:31:46.464235500 tcpserver: end 31293 status 0
2017-12-30 00:31:46.464236500 tcpserver: status: 1/100
2017-12-30 00:31:46.773361500 tcpserver: status: 2/100
2017-12-30 00:31:46.773362500 tcpserver: pid 31298 from 114.229.162.93
2017-12-30 00:31:46.773363500 tcpserver: ok 31298 
indialau.bigpuddle.net:192.168.1.138:25 :114.229.162.93::63351
2017-12-30 00:31:47.659727500 tcpserver: end 31298 status 0
2017-12-30 00:31:47.659728500 tcpserver: status: 1/100
2017-12-30 00:31:47.940773500 tcpserver: status: 2/100
2017-12-30 00:31:47.940879500 tcpserver: pid 31300 from 114.229.162.93
2017-12-30 00:31:47.940920500 tcpserver: