I've been getting an unknown connection warning for the last half month, it seems to be every 1 minute, I've looked in many directions for the cause, but haven't found anything. I tried shutting down the server and turning it back on after 3 days, and as soon as the machine finished booting up, the same connection appeared right away, am I being compromised? Regarding the services of the server, I only enabled the mail service. Thanks! Code: Jul 29 13:06:14 (My host) postfix/postfix-script[2653]: warning: symlink leaves directory: /etc/postfix/./smtpd.key Jul 29 13:06:14 (My host) postfix/postfix-script[2656]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert Jul 29 13:06:14 (My host) postfix/postfix-script[2834]: starting the Postfix mail system Jul 29 13:06:14 (My host) postfix/master[2836]: daemon started -- version 3.6.4, configuration /etc/postfix Jul 29 13:06:27 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.209] Jul 29 13:06:36 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:06:37 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:06:38 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.248] Jul 29 13:06:39 (My host) postfix/smtpd[2859]: connect from unknown[80.94.95.209] Jul 29 13:06:41 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:06:42 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.248] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:06:50 (My host) postfix/smtpd[2859]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:06:50 (My host) postfix/smtpd[2859]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:06:52 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.209] Jul 29 13:07:02 (My host) postfix/smtpd[2859]: connect from unknown[80.94.95.248] Jul 29 13:07:06 (My host) postfix/smtpd[6096]: connect from unknown[80.94.95.209] Jul 29 13:07:08 (My host) postfix/smtpd[2859]: warning: unknown[80.94.95.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:07:08 (My host) postfix/smtpd[2859]: disconnect from unknown[80.94.95.248] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:07:09 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:07:10 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:07:18 (My host) postfix/smtpd[6096]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: Connection lost to authentication server Jul 29 13:07:19 (My host) postfix/smtpd[6096]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:07:20 (My host) postfix/smtpd[2859]: connect from unknown[80.94.95.209] Jul 29 13:07:26 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.248] Jul 29 13:07:28 (My host) postfix/smtpd[2859]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:07:28 (My host) postfix/smtpd[2859]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:07:32 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:07:32 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.248] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:07:34 (My host) postfix/smtpd[6096]: connect from unknown[80.94.95.209] Jul 29 13:07:38 (My host) dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer Jul 29 13:07:45 (My host) postfix/smtpd[6096]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:07:45 (My host) postfix/smtpd[2859]: connect from unknown[80.94.95.209] Jul 29 13:07:46 (My host) postfix/smtpd[6096]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:07:49 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.248] Jul 29 13:07:56 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:07:57 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.248] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:07:58 (My host) postfix/smtpd[6096]: connect from unknown[80.94.95.209] Jul 29 13:07:59 (My host) postfix/smtpd[2859]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:07:59 (My host) postfix/smtpd[2859]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:08:11 (My host) postfix/smtpd[6096]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: Connection lost to authentication server Jul 29 13:08:11 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.209] Jul 29 13:08:12 (My host) postfix/smtpd[6096]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:08:13 (My host) postfix/smtpd[2859]: connect from unknown[80.94.95.248] Jul 29 13:08:17 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:08:18 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:08:18 (My host) postfix/smtpd[2859]: warning: unknown[80.94.95.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:08:18 (My host) postfix/smtpd[2859]: disconnect from unknown[80.94.95.248] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:08:25 (My host) postfix/smtpd[6096]: connect from unknown[80.94.95.209] Jul 29 13:08:28 (My host) dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer Jul 29 13:08:37 (My host) postfix/smtpd[6096]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:08:37 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.248] Jul 29 13:08:37 (My host) postfix/smtpd[6096]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:08:38 (My host) postfix/smtpd[2859]: connect from unknown[80.94.95.209] Jul 29 13:08:42 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:08:42 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.248] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:08:51 (My host) postfix/smtpd[6096]: connect from unknown[80.94.95.209] Jul 29 13:08:52 (My host) postfix/smtpd[2859]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:08:52 (My host) postfix/smtpd[2859]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:09:01 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.248] Jul 29 13:09:04 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:09:04 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.248] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:09:04 (My host) postfix/smtpd[6096]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: Connection lost to authentication server Jul 29 13:09:04 (My host) postfix/smtpd[2859]: connect from unknown[80.94.95.209] Jul 29 13:09:05 (My host) postfix/smtpd[6096]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:09:12 (My host) postfix/smtpd[2859]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:09:12 (My host) postfix/smtpd[2859]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:09:17 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.209] Jul 29 13:09:25 (My host) postfix/smtpd[6096]: connect from unknown[80.94.95.248] Jul 29 13:09:27 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:09:27 (My host) postfix/pickup[2837]: 4B05560423: uid=0 from=<root> Jul 29 13:09:27 (My host) postfix/cleanup[140708]: 4B05560423: message-id=<20240729050927.4B05560423@(My host)> Jul 29 13:09:27 (My host) postfix/smtpd[2859]: connect from localhost[127.0.0.1] Jul 29 13:09:27 (My host) postfix/smtpd[2859]: lost connection after CONNECT from localhost[127.0.0.1] Jul 29 13:09:27 (My host) postfix/smtpd[2859]: disconnect from localhost[127.0.0.1] commands=0/0 Jul 29 13:09:27 (My host) dovecot: pop3-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<PaiB3Vse8r1/AAAB> Jul 29 13:09:27 (My host) dovecot: imap-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<rb6B3VseHNF/AAAB> Jul 29 13:09:27 (My host) postfix/qmgr[2838]: 4B05560423: from=<root@(My hostname)>, size=522, nrcpt=1 (queue active) Jul 29 13:09:27 (My host) postfix/local[140770]: 4B05560423: to=<root@(My hostname)>, orig_to=<root>, relay=local, delay=0.56, delays=0.54/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox) Jul 29 13:09:27 (My host) postfix/qmgr[2838]: 4B05560423: removed Jul 29 13:09:27 (My host) dovecot: auth: Error: auth client 0 disconnected with 1 pending requests: Connection reset by peer Jul 29 13:09:28 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:09:31 (My host) postfix/smtpd[2859]: connect from unknown[80.94.95.209] Jul 29 13:09:31 (My host) postfix/smtpd[6096]: warning: unknown[80.94.95.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:09:31 (My host) postfix/smtpd[6096]: disconnect from unknown[80.94.95.248] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:09:44 (My host) postfix/smtpd[2845]: connect from unknown[80.94.95.209] Jul 29 13:09:46 (My host) postfix/smtpd[2859]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:09:46 (My host) postfix/smtpd[2859]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:09:48 (My host) postfix/smtpd[6096]: connect from unknown[80.94.95.248] Jul 29 13:09:55 (My host) postfix/smtpd[6096]: warning: unknown[80.94.95.248]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:09:55 (My host) postfix/smtpd[6096]: disconnect from unknown[80.94.95.248] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:09:57 (My host) postfix/smtpd[2859]: connect from unknown[80.94.95.209] Jul 29 13:09:57 (My host) postfix/smtpd[2845]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: Connection lost to authentication server Jul 29 13:09:58 (My host) postfix/smtpd[2845]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 29 13:10:02 (My host) postfix/smtpd[6096]: connect from localhost[127.0.0.1] Jul 29 13:10:02 (My host) postfix/smtpd[6096]: lost connection after CONNECT from localhost[127.0.0.1] Jul 29 13:10:02 (My host) postfix/smtpd[6096]: disconnect from localhost[127.0.0.1] commands=0/0 Jul 29 13:10:02 (My host) dovecot: imap-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<OXSZ31seXph/AAAB> Jul 29 13:10:02 (My host) dovecot: pop3-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<6nqZ31seOtJ/AAAB> Jul 29 13:10:05 (My host) postfix/smtpd[2859]: warning: unknown[80.94.95.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 29 13:10:06 (My host) postfix/smtpd[2859]: disconnect from unknown[80.94.95.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Do you mean these lines: Code: connect from unknown[80.94.95.248] connect from unknown[80.94.95.209] Those are two hosts trying to log in to Dovecot, that is trying to use an e-mail account. Do you recognize those IP-numbers? If they are from your hosts, something there tries to use e-mail. If they are not yours, it may be someone or something trying to guess passwords for e-mail accounts. In this case you can try to mitigate it a bit, my signature has link to Fail2ban tutorial.
Yeah, those are the IPs,i don't recognize these IPs at all. Regarding the "trying to guess the password of an e-mail account", is it possible to know in the logs or otherwise which e-mail account is being guessed? I don't publicize my server or email address elsewhere, but I have tested it many times on some email testing platforms, and the server is only in beta.is it possible that this could have brought this on? Also, is there any way to automatically blacklist the other party's IP if such guesses exceed a certain number of times or days? Like blocking connections. BTW, I didn't find a link to Fail2ban in your signature, maybe it's because I don't know the right way to look it up.sorry.
As soon as you host any service publicly, many bots will try to login and brute force the system. This is nothing new, and one of the reasons why you should have good passwords and security settings. It has nothing to do with these testing services. That's already running in a default ISPConfig installation and is provided through fail2ban which monitors the attempts and bans the ips for a certain amount of time, if there are to many false attempts. If you have really bad offenders just block the IP Addresses or networks with iptables forever.
Is my signature not visible to all logged in users? Are you sure @Dy-2024 you can not see my signature and the Fail2Ban line? That is what Fail2ban does.
Yeah, I can understand that. In my logs, is there any indication that fail2ban has not banned this IP? Instead, does it say that the IP is still trying? That's what I'm trying to do right now, but I don't know how to implement a ban. Sorry, I'm new at this.
Please post listings and code in CODE tags Using Fail2Ban on Debian 12 Automatic updates with unattended-upgrades Connect File Manager to Website ISPConfig and e-mail Set up DNS with ISPConfig I'm sorry, do you mean these? If so, I didn't find it in these, but of course, maybe I don't understand. In my logs, is there any indication that fail2ban has not banned this IP? Instead, does it say that the IP is still trying?
Check the available jails with Code: fail2ban-client status And then manually ban the ip with fail2ban like this: Code: fail2ban-client -vvv set JAILNAME banip XX.XX.XX.XX
If you see those, click the line that reads "Using Fail2Ban on Debian 12". It is a link that goes to Fail2Ban tutorial.
Thank you. "fail2ban-client status": The results are as follows: Status |- Number of jail: 4 `- Jail list: dovecot, postfix-sasl, pure-ftpd, sshd "fail2ban-client -vvv set JAILNAME banip 80.94.95.209": Code: + 61 7FB6F23EB000 fail2ban.configreader INFO Loading configs for fail2ba n under /etc/fail2ban + 61 7FB6F23EB000 fail2ban.configreader DEBUG Reading configs for fail2ba n under /etc/fail2ban + 62 7FB6F23EB000 fail2ban.configreader DEBUG Reading config files: /etc/ fail2ban/fail2ban.conf + 62 7FB6F23EB000 fail2ban.configparserinc INFO Loading files: ['/etc/fai l2ban/fail2ban.conf'] + 62 7FB6F23EB000 fail2ban.configparserinc TRACE Reading file: /etc/fail 2ban/fail2ban.conf + 63 7FB6F23EB000 fail2ban.configparserinc INFO Loading files: ['/etc/fai l2ban/fail2ban.conf'] + 63 7FB6F23EB000 fail2ban.configparserinc TRACE Shared file: /etc/fail2 ban/fail2ban.conf + 63 7FB6F23EB000 fail2ban INFO Using socket file /var/run/ fail2ban/fail2ban.sock + 63 7FB6F23EB000 fail2ban INFO Using pid file /var/run/fai l2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log + 63 7FB6F23EB000 fail2ban HEAVY CMD: ['set', 'JAILNAME', 'b anip', '80.94.95.209'] + 65 7FB6F23EB000 fail2ban ERROR NOK: ('JAILNAME',) + 65 7FB6F23EB000 fail2ban.beautifier DEBUG Beautify (error) UnknownJai lException('JAILNAME') with ['set', 'JAILNAME', 'banip', '80.94.95.209'] Sorry but the jail 'JAILNAME' does not exist + 66 7FB6F23EB000 fail2ban DEBUG Exit with code 255 Maybe JAILNAME maybe I didn't understand. I'll check.
JAILNAME is the name of the jail it shall ban the IP for, so you must replace JAILNAME with the actual name of the jail.
