High Number Of Connection Attempts

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

High Number Of Connection Attempts

Pete-85
Hello,

Can someone confirm that the log excerpt below is most likely a bot of
some kind attempting to authenticate to my Postfix server please ?

Seems like I could do with slowing such attempts down. Any advice on
best practices would be welcome.

[..]

Feb  4 15:00:23 tooms postfix/smtpd[89297]: warning: 213.83.78.219:
hostname bri209-79623-rtr-adsl-219.altohiway.com verification failed:
hostname nor servname provided, or not known
Feb  4 15:00:23 tooms postfix/smtpd[89298]: warning: 213.83.78.219:
hostname bri209-79623-rtr-adsl-219.altohiway.com verification failed:
hostname nor servname provided, or not known
Feb  4 15:00:24 tooms postfix/smtpd[89288]: lost connection after AUTH
from unknown[213.83.78.219]
Feb  4 15:00:24 tooms postfix/smtpd[89286]: lost connection after AUTH
from unknown[213.83.78.219]
Feb  4 15:00:24 tooms postfix/smtpd[89289]: lost connection after AUTH
from unknown[213.83.78.219]
Feb  4 15:00:24 tooms postfix/smtpd[89290]: lost connection after AUTH
from unknown[213.83.78.219]

[..]

The full log file can be found here :

http://nrth.org/abuse/2012-02-04-opal_solutions-talktalk-smtp-auth.txt

I've grep'd 938 instances of the next line :

Feb  4 15:00:32 tooms postfix/smtpd[89288]: lost connection after AUTH
from unknown[213.83.78.219]

This was between 15:00 and 15:08 today. 'altohiway.com' is now blocked
for the time being.

Thanks for your time.

Regards,

Pete.



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: High Number Of Connection Attempts

Nick Bright-3
On 2/4/2012 11:47 AM, Pete wrote:
> Hello,
>
> Can someone confirm that the log excerpt below is most likely a bot of
> some kind attempting to authenticate to my Postfix server please ?
>

That looks like a brute force attempt, or at least a bot looking for
weak passwords. I see the same things in my logs, too.

The only thing I have found is ConfigServer firewall:

http://configserver.com/cp/csf.html

It is a dynamic firewall containing a "login failure daemon" that
monitors for failed logins on various services, and blocks offending
IP's based on your defined thresholds.

I hope that this helps!

  - Nick Bright


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: High Number Of Connection Attempts

Pete-85
On 04/02/2012 17:58, Nick Bright wrote:

> On 2/4/2012 11:47 AM, Pete wrote:
>> Hello,
>>
>> Can someone confirm that the log excerpt below is most likely a bot of
>> some kind attempting to authenticate to my Postfix server please ?
>>
>
> That looks like a brute force attempt, or at least a bot looking for
> weak passwords. I see the same things in my logs, too.
>
> The only thing I have found is ConfigServer firewall:
>
> http://configserver.com/cp/csf.html
[..]

Thanks Nick, I'll take a look.


Regards,

Pete.



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: High Number Of Connection Attempts

Nikolaos Milas
In reply to this post by Nick Bright-3
On 4/2/2012 7:58 μμ, Nick Bright wrote:

>
> The only thing I have found is ConfigServer firewall:
>
> http://configserver.com/cp/csf.html
>
> It is a dynamic firewall containing a "login failure daemon" that
> monitors for failed logins on various services, and blocks offending
> IP's based on your defined thresholds.
>

And, if you are on linux, the good old Fail2ban... (if you are not using
IPv6, or if you don't need badly to avert offensives over IPv6).

I am always hoping they will sometime support IPv6.

Check: http://www.fail2ban.org

Nick
Reply | Threaded
Open this post in threaded view
|

Re: High Number Of Connection Attempts

Simon Brereton-2
In reply to this post by Pete-85


On Feb 4, 2012 1:03 PM, "Pete" <[hidden email]> wrote:
>
> On 04/02/2012 17:58, Nick Bright wrote:
>>
>> On 2/4/2012 11:47 AM, Pete wrote:
>>>
>>> Hello,
>>>
>>> Can someone confirm that the log excerpt below is most likely a bot of
>>> some kind attempting to authenticate to my Postfix server please ?
>>>
>>
>> That looks like a brute force attempt, or at least a bot looking for
>> weak passwords. I see the same things in my logs, too.
>>
>> The only thing I have found is ConfigServer firewall:
>>
>> http://configserver.com/cp/csf.html
>
>
> [..]
>
> Thanks Nick, I'll take a look.

I use fail2ban to limit brute auth attempts like that.  You can set it up so that 3 fails in a minute is a 20 ban.  I'd rather have people call the help desk than a weak password get cracked..

Simon

>

Reply | Threaded
Open this post in threaded view
|

Re: High Number Of Connection Attempts

Pete-85
On 04/02/2012 18:45, Simon Brereton wrote:

>
> On Feb 4, 2012 1:03 PM, "Pete" <[hidden email] <mailto:[hidden email]>> wrote:
>  >
>  > On 04/02/2012 17:58, Nick Bright wrote:
>  >>
>  >> On 2/4/2012 11:47 AM, Pete wrote:
>  >>>
>  >>> Hello,
>  >>>
>  >>> Can someone confirm that the log excerpt below is most likely a bot of
>  >>> some kind attempting to authenticate to my Postfix server please ?
>  >>>
>  >>
>  >> That looks like a brute force attempt, or at least a bot looking for
>  >> weak passwords. I see the same things in my logs, too.
>  >>
>  >> The only thing I have found is ConfigServer firewall:
>  >>
>  >> http://configserver.com/cp/csf.html
>  >
>  >
>  > [..]
>  >
>  > Thanks Nick, I'll take a look.
>
> I use fail2ban to limit brute auth attempts like that.  You can set it
> up so that 3 fails in a minute is a 20 ban.  I'd rather have people call
> the help desk than a weak password get cracked..
I agree. Thanks for the tip.

As fail2ban is in the FreeBSD ports tree I'll give that a blast first
but have bookmarked the configserver site.

Regards,

Pete.



smime.p7s (5K) Download Attachment