Hi, I'm new to this forum, but I have come here as I have a specific problem and after searching the web I found very little about this, and this forum seemed to be the best place to start asking. My production mail server supports about 100 people and about 600/1000 emails a day. But it gets around 20,000 lost connections from UNKNOWN per day, with a typical UNKNOWN IP address creating 300/400 each. Here is a log summary Connections lost: Connection lost while AUTH : 20 Time(s) Connection lost while CONNECT : 1267 Time(s) Connection lost while EHLO : 1 Time(s) Connection lost while END-OF-MESSAGE : 1 Time(s) Connection lost while NOOP : 1 Time(s) Connection lost while RCPT : 49 Time(s) Connection lost while RSET : 1 Time(s) Connection lost while UNKNOWN : 17645 Time(s) On my test / secondary server (which handles about 80 emails a day) I dont get any Connection lost while UNKNOWN What is going on, is the a DOS (it been going on for at least a month) or spambots or brute force attempts, or similar? I have had some complaints about server connections not being made, and I can't see anything specific in the logs apart from all these entries, so will this number of lost connections materially impact the performance? If so should I do something like fail2ban the UNKOWN/unkowns, or could it be something else like a bad config setting? I think my server is more than powerful enough to handle the normal load. Any thoughts or areas to look at, gratefully received.
Welcome. That sounds weird. Are you running Linux/BSD? What Distro? Please supply more lines from the log Include postfix conf
Sounds a bit like someone is running a botnet to have a go at a brute force attack. They usually go away after a while then come back and have another go later. 20,000 (about 1 every 4 seconds) is a lot, and probably will be impacting on the server's ability to receive legitimate mail. Not sure what you can do about it though. Perhaps someone with far more knowledge of these things will come up with an answer. To my knowledge you can't stop people trying to connect with your server, unless you block the specific IP addresses, and how can you block the IP address if it is UNKNOWN? Have you tested the server to see how it presents to the outside world?
lost connection after UNKNOWN from unknown Hi! I have the same problem. Did you figure out this? How to solve this issue ?
Hi Which tutorial you have used for the server? Are there any other errors in your mail log? What's the output of
Server was setup about 3 yr ago and worked fine. I used Perfect server ISPconfig3 on debian. I have only this errors. HTML: [QUOTE]Jul 17 07:05:46 ns2 postfix/smtpd[15243]: lost connection after CONNECT from bzb205.internetdsl.tpnet.pl[83.19.31.205] Jul 17 07:05:46 ns2 postfix/smtpd[15243]: disconnect from bzb205.internetdsl.tpnet.pl[83.19.31.205] Jul 17 07:05:46 ns2 postfix/smtpd[17210]: connect from unknown[212.172.218.100] Jul 17 07:05:46 ns2 postfix/smtpd[9843]: warning: 46.29.255.43: address not listed for hostname iouessay.ns02.us Jul 17 07:05:46 ns2 postfix/smtpd[9843]: connect from unknown[46.29.255.43] Jul 17 07:05:47 ns2 postfix/smtpd[16539]: connect from mail4.bportal.biz[192.109.121.67] Jul 17 07:05:47 ns2 postfix/smtpd[16539]: 1DEBC11E923A: client=mail4.bportal.biz[192.109.121.67] Jul 17 07:05:47 ns2 postfix/smtpd[13345]: connect from unknown[62.73.68.49] ^C root@ns2:~# netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost.localdo:10024 *:* LISTEN 16820/amavisd (ch9- tcp 0 0 localhost.localdo:10025 *:* LISTEN 10620/smtpd tcp 0 0 *:mysql *:* LISTEN 17366/mysqld tcp 0 0 *:submission *:* LISTEN 13733/master tcp 0 0 localhost.localdo:11211 *:* LISTEN 3026/memcached tcp 0 0 *:pop3 *:* LISTEN 3367/dovecot tcp 0 0 *:imap2 *:* LISTEN 3367/dovecot tcp 0 0 localhost.localdo:spamd *:* LISTEN 3142/spamd.pid
The possible reason could be 1) The dns record is not corrcet. 2) Port 25 is not forwarded from router to the server IP if your server is installed in a local network. 3) Port 25 is blocked by a firewall on the server, a router or by your ISP. 4) Postfix is not listening on the external network interface. Please post the output of: and
-P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -N INT_IN -N INT_OUT -N PAROLE -N PUB_IN -N PUB_OUT -N fail2ban-apache-nohome -N fail2ban-apache-overflows -N fail2ban-dovecot-pop3imap -N fail2ban-postfix -N fail2ban-pureftpd -N fail2ban-ssh A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -p tcp -m multiport --dports 21 -j fail2ban-pureftpd -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-nohome -A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap -A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 224.0.0.0/4 -j DROP -A INPUT -i eth+ -j PUB_IN -A INPUT -i ppp+ -j PUB_IN -A INPUT -i slip+ -j PUB_IN -A INPUT -i venet+ -j PUB_IN -A INPUT -i bond+ -j PUB_IN -A INPUT -j DROP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j DROP -A OUTPUT -o eth+ -j PUB_OUT -A OUTPUT -o ppp+ -j PUB_OUT -A OUTPUT -o slip+ -j PUB_OUT -A OUTPUT -o venet+ -j PUB_OUT -A OUTPUT -o bond+ -j PUB_OUT -A INT_IN -p icmp -j ACCEPT -A INT_IN -j DROP -A INT_OUT -p icmp -j ACCEPT -A INT_OUT -j ACCEPT -A PAROLE -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT -A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 465 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 587 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 993 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 995 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 8082 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 50000:51000 -j PAROLE -A PUB_IN -p udp -m udp --dport 53 -j ACCEPT -A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT -A PUB_IN -p icmp -j DROP -A PUB_IN -j DROP -A PUB_OUT -j ACCEPT -A fail2ban-apache-nohome -j RETURN -A fail2ban-apache-overflows -j RETURN -A fail2ban-dovecot-pop3imap -s 95.40.7.100/32 -j DROP -A fail2ban-dovecot-pop3imap -j RETURN -A fail2ban-postfix -j RETURN -A fail2ban-pureftpd -s 201.236.9.50/32 -j DROP -A fail2ban-pureftpd -j RETURN -A fail2ban-ssh -s 95.138.166.172/32 -j DROP -A fail2ban-ssh -s 86.101.234.57/32 -j DROP -A fail2ban-ssh -s 190.183.168.250/32 -j DROP -A fail2ban-ssh -j RETURN
