what is this maillog that constantly happens?

4 posts / 0 new
Last post
#1 Tue, 02/14/2017 - 00:34
oneearth

what is this maillog that constantly happens?

hi,

i was able to send and receive emails (yay!) and things seem functional.

but i'm wondering how to interprete this type of maillog entry that constantly happens and whether there's some configuration that i have to tweak in order to not get these entries.

Feb 14 06:14:19 server postfix/smtpd[13856]: connect from unknown[94.102.56.181]
Feb 14 06:14:22 server postfix/smtpd[13856]: warning: unknown[94.102.56.181]: SASL LOGIN authentication failed: authentication failure
Feb 14 06:14:22 server postfix/smtpd[13856]: disconnect from unknown[94.102.56.181]
Feb 14 06:15:40 server postfix/smtpd[13856]: warning: hostname dedic865.hidehost.net does not resolve to address 91.200.12.99: Name or service not known
Feb 14 06:15:40 server postfix/smtpd[13856]: connect from unknown[91.200.12.99]
Feb 14 06:15:42 server postfix/smtpd[13856]: warning: unknown[91.200.12.99]: SASL LOGIN authentication failed: authentication failure
Feb 14 06:15:43 server postfix/smtpd[13856]: lost connection after AUTH from unknown[91.200.12.99]
Feb 14 06:15:43 server postfix/smtpd[13856]: disconnect from unknown[91.200.12.99]

Feb 14 06:17:58 server postfix/smtpd[14069]: warning: hostname dedic869.hidehost.net does not resolve to address 91.200.12.165: Name or service not known
Feb 14 06:17:58 server postfix/smtpd[14069]: connect from unknown[91.200.12.165]
Feb 14 06:18:01 server postfix/smtpd[14069]: warning: unknown[91.200.12.165]: SASL LOGIN authentication failed: authentication failure
Feb 14 06:18:01 server postfix/smtpd[14069]: lost connection after AUTH from unknown[91.200.12.165]
Feb 14 06:18:01 server postfix/smtpd[14069]: disconnect from unknown[91.200.12.165]
Feb 14 06:18:36 server postfix/smtpd[14069]: connect from qcxqdwpi.my-addr.com[212.22.73.85]
Feb 14 06:18:40 server postfix/smtpd[14069]: NOQUEUE: reject: RCPT from qcxqdwpi.my-addr.com[212.22.73.85]: 454 4.7.1 <non-existing_email@oneofmydomains.com>: Relay access denied; from=<koyot27385@qcxqdwpi.my-addr.com> to=<non-existing_email@oneofmydomains.com> proto=SMTP helo=<qcxqdwpi.my-addr.com>
Feb 14 06:18:41 server postfix/smtpd[14069]: disconnect from qcxqdwpi.my-addr.com[212.22.73.85]

any thoughts and suggestions would be appreciated.

Tue, 02/14/2017 - 11:46
unborn
unborn's picture

hi, block that ip address with fail2ban. if hou read the text in this logins its sayin someone is constantly trying to connect - means usually guessing password via some program.. just block the ip. in your fail2ban install enable sasl, postfix and dovecot and ssh bans, set them 3 times fail and ban them for at least week or so.. - basically secure your server, thats all :)

Configuring/troubleshooting Debian servers is always great fun

Wed, 02/15/2017 - 10:01
oneearth

i went to > Webmin > Networking > Fail2ban Intrusion Detector which i had installed then > Filter Action Jails > clicked on the sshd, postfix-sasl and dovecot jails and enabled with the basic iptables action on the appropriate tcp port

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
filter   = postfix-sasl
action   = iptables[name=postfix-sasl, port=smtp, protocol=tcp]
filter   = dovecot
action   = iptables[name=dovecot, port=dovecot, protocol=tcp]

is that sufficient?

Thu, 02/16/2017 - 04:17 (Reply to #3)
unborn
unborn's picture

Hi, on my server I have ssh, sasl, dovecot and postfix.. fail2ban should automatically adjust your iptables for you. However I would suggest you to change ban time from 10 minutes to something more reasonable like 24 hours. also just to make sure that your email accounts are clean just change the passwords. and with all of that you should be good to go. Then you can check what ip was banned and when in webmin > networking > firewall..

Configuring/troubleshooting Debian servers is always great fun

Topic locked