I'm getting several hundred connections each day (on a mail server that only receives 10 - 15 valid emails per day) that show the sequence below in /var/log/qpsmtpd/current:
@40000000593a7d2e13718fdc 4250 250 mysmeserver.tld Hi 189-210-188-70.static.axtel.net [189.210.188.70]; I am so happy to meet you.
@40000000593a7d2e31a991d4 4250 dispatching AUTH LOGIN
@40000000593a7d2e31a999a4 4250 (unrecognized_command) count_unrecognized_commands: 'auth', (1)
@40000000593a7d2e31a9a174 4250 500 Unrecognized command
@40000000593a7d2e31a9a55c 4250 dispatching QUIT
@40000000593a7d2e31a9a944 4250 221 mysmeserver.tld closing connection. Have a wonderful day.
@40000000593a7d2e31a9ad2c 4250 click, disconnecting
@40000000593a7d2e31a9b114 4247 cleaning up after 4250
I'm pretty sure that these are no more alarming than a dictionary attack against ssh would be with username login disabled (that is, it's just log noise that I can safely ignore).
However, I still have several questions:
- Why is there no logterse entry?
- Why is 'auth' an unrecognized command (or is it actually 'auth' followed by some intentionally mis-coded, null-containing string)?
- Has the attacker actually attempted a username/password during this conversation?
- Is fail2ban clever enough to pull these entries out and block all remote access (smtp, ssh, imap, pop3, https) from them, since there is no single log entry with both the IP address and the result?
- Is there a way to configure fail2ban to block every IP address mentioned in /var/log/qpsmtpd/* *except* those with a successful outcome?
0 Replies
1250 Views