Attacks on MTA

Discussion in 'Installation/Configuration' started by dclardy, Sep 29, 2009.

  1. dclardy

    dclardy Member

    How can I prevent these? I configured the Fail2Ban using Falko's tutorial. I figure it is only a matter of time until they get in.

    Code:
    Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:39 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:40 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:41 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:42 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:43 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:44 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:45 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:46 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:47 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:48 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:49 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:51 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:53 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:54 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 27 21:58:54 server1 pop3d: Maximum connection limit reached for ::ffff:72.245.44.154
Sep 28 01:04:44 server1 pop3d: Maximum connection limit reached for ::ffff:81.82.241.67
Sep 28 01:04:45 server1 pop3d: Maximum connection limit reached for ::ffff:81.82.241.67
Sep 28 06:30:32 server1 postfix/smtpd[23691]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:30:44 server1 postfix/smtpd[23709]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:30:55 server1 postfix/smtpd[23711]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:07 server1 postfix/smtpd[23712]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:18 server1 postfix/smtpd[23719]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:30 server1 postfix/smtpd[23720]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:41 server1 postfix/smtpd[23721]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:31:53 server1 postfix/smtpd[23722]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:04 server1 postfix/smtpd[23723]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:16 server1 postfix/smtpd[23730]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:28 server1 postfix/smtpd[23731]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:39 server1 postfix/smtpd[23732]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
Sep 28 06:32:51 server1 postfix/smtpd[23733]: warning: unknown[203.85.114.102]: SASL LOGIN authentication failed: authentication failure
    Any help would be appreciated. These are not being blocked by Fail2Ban.
     
    dclardy, Sep 29, 2009
    #1
  2. edge

    edge Active Member Moderator

    They are not banned as you probably did not create a rule to do so.
    Have a look at your jail.local, and create a rule for pop3d
     
    edge, Sep 29, 2009
    #2
  3. dclardy

    dclardy Member

    This the configuration for pop3 in fail2ban.

    Code:
    [courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5
    Here is the error in fail2ban:

    Code:
    2009-09-27 06:25:03,593 fail2ban.comm : WARNING Invalid command: ['add', 'courierpop3', 'polling']
     
    dclardy, Sep 29, 2009
    #3
  4. edge

    edge Active Member Moderator

    Are you using courierpop3?

    The rule that you need does probably look something like this (NOT TESTED!)

    [pop3d]

    enabled = true
    port = pop3
    filter = pop3d
    failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath = /var/log/mail.log
    maxretry = 5

    Basicaly the rule scans your mail.log file for the text "pop3d: LOGIN FAILED", and logs the IP who is causig the LOGIN FAILED.
    After a maxretry of 5 times fail2ban will kick in, and block that IP.

    Make sure that you restart fail2ban after adding this.
     
    Last edited: Sep 29, 2009
    edge, Sep 29, 2009
    #4
  5. dclardy

    dclardy Member

    It still does not work. Does anyone have a working jail.local file? I am using the Perfect Server Debian Lenny and ISPConfig 3.0.1.4. It would be a big help.

    Thanks.
     
    Last edited: Sep 29, 2009
    dclardy, Sep 29, 2009
    #5

Share This Page