auth=0/1

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

auth=0/1

Helmut Schneider
Hi,

Jan 27 13:02:37 h2786452 postfix-out/smtpd[8469]: disconnect from
unknown[193.56.28.30] ehlo=1 auth=0/1 quit=1 commands=2/3
Jan 27 13:02:58 h2786452 postfix-out/smtpd[8469]: disconnect from
unknown[193.56.28.30] ehlo=1 auth=0/1 quit=1 commands=2/3
Jan 27 13:03:24 h2786452 postfix-out/smtpd[8469]: disconnect from
unknown[193.56.28.30] ehlo=1 auth=0/1 quit=1 commands=2/3
Jan 27 13:03:44 h2786452 postfix-out/smtpd[8469]: disconnect from
unknown[193.56.28.30] ehlo=1 auth=0/1 quit=1 commands=2/3
Jan 27 13:04:09 h2786452 postfix-out/smtpd[8469]: disconnect from
unknown[193.56.28.30] ehlo=1 auth=0/1 quit=1 commands=2/3

Before I block with fail2ban, does auth=0/1 ALWAYS mean that s/o tried
to use smtp without authentication?

Thank you!
Reply | Threaded
Open this post in threaded view
|

Re: auth=0/1

Dominic Raferd
On Mon, 27 Jan 2020 at 12:36, Helmut Ritter <[hidden email]> wrote:
Jan 27 13:02:37 h2786452 postfix-out/smtpd[8469]: disconnect from
unknown[193.56.28.30] ehlo=1 auth=0/1 quit=1 commands=2/3

Before I block with fail2ban, does auth=0/1 ALWAYS mean that s/o tried
to use smtp without authentication?

I think it means that authentication was required (by your smtpd) and was not achieved by the client; not necessarily that they did not try auth, just that whether or not they tried it, they were not authenticated. Sometimes I see auth=0/2 or auth=0/3. I treat 'auth=0/' as a potential ban event for my bespoke fail2ban jail.
Reply | Threaded
Open this post in threaded view
|

Re: auth=0/1

Bill Cole-3
On 27 Jan 2020, at 8:08, Dominic Raferd wrote:

> On Mon, 27 Jan 2020 at 12:36, Helmut Ritter <[hidden email]> wrote:
>
>> Jan 27 13:02:37 h2786452 postfix-out/smtpd[8469]: disconnect from
>> unknown[193.56.28.30] ehlo=1 auth=0/1 quit=1 commands=2/3
>>
>> Before I block with fail2ban, does auth=0/1 ALWAYS mean that s/o
>> tried
>> to use smtp without authentication?
>>
>
> I think it means that authentication was required (by your smtpd) and
> was
> not achieved by the client; not necessarily that they did not try
> auth,
> just that whether or not they tried it, they were not authenticated.

Nope.

It means that they attempted authentication 1 time but failed.


> Sometimes I see auth=0/2 or auth=0/3.

Which means they tried 2 or 3 times.

> I treat 'auth=0/' as a potential ban
> event for my bespoke fail2ban jail.

Which is usually fine, IF you do not support authentication for the
smtpd instance. There's usually no need to support authentication on
port 25 if you have submission instances on ports 587 and/or 465, and if
"smtpd_sasl_auth_enable = no" there's no excuse for any SMTP client to
even try AUTH.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: auth=0/1

@lbutlr
On 27 Jan 2020, at 06:42, Bill Cole <[hidden email]> wrote:
> It means that they attempted authentication 1 time but failed.
>
>> Sometimes I see auth=0/2 or auth=0/3.
>
> Which means they tried 2 or 3 times.

Hmm. I see blocks like these throughout my logs:

Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: connect from unknown[77.105.44.25]
Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: lost connection after EHLO from unknown[77.105.44.25]
Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: disconnect from unknown[77.105.44.25] ehlo=1 auth=0/1 commands=1/2
Jan 27 11:40:28 mail postfix/submit/smtpd[62764]: connect from unknown[77.105.44.25]
Jan 27 11:40:29 mail postfix/submit/smtpd[62764]: lost connection after EHLO from unknown[77.105.44.25]
Jan 27 11:40:29 mail postfix/submit/smtpd[62764]: disconnect from unknown[77.105.44.25] ehlo=1 auth=0/1 commands=1/2

Etc. repeated many times.

The only other lines related to these connection are, nearly universally:

Jan 27 11:46:19 mail postfix/anvil[54251]: statistics: max connection count 3 for (submission:77.105.44.25) at Jan 27 11:40:25
Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: warning: hostname 77-105-44-25.adsl-2.sezampro.rs does not resolve to address 77.105.44.25: hostname nor servname provided, or not known
Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: warning: hostname 77-105-44-25.adsl-2.sezampro.rs does not resolve to address 77.105.44.25: hostname nor servname provided, or not known

But the auth count never increases.

(Postfix/submit the syslog_name set for the submission port in master.cf)



--
THE PRESIDENT DID IT IS NOT AN EXCUSE Bart chalkboard Ep. AABF05


Reply | Threaded
Open this post in threaded view
|

Re: auth=0/1

Bill Cole-3
On 27 Jan 2020, at 14:27, @lbutlr wrote:

> On 27 Jan 2020, at 06:42, Bill Cole
> <[hidden email]> wrote:
>> It means that they attempted authentication 1 time but failed.
>>
>>> Sometimes I see auth=0/2 or auth=0/3.
>>
>> Which means they tried 2 or 3 times.
>
> Hmm. I see blocks like these throughout my logs:
>
> Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: connect from
> unknown[77.105.44.25]
> Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: lost connection
> after EHLO from unknown[77.105.44.25]
> Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: disconnect from
> unknown[77.105.44.25] ehlo=1 auth=0/1 commands=1/2
> Jan 27 11:40:28 mail postfix/submit/smtpd[62764]: connect from
> unknown[77.105.44.25]
> Jan 27 11:40:29 mail postfix/submit/smtpd[62764]: lost connection
> after EHLO from unknown[77.105.44.25]
> Jan 27 11:40:29 mail postfix/submit/smtpd[62764]: disconnect from
> unknown[77.105.44.25] ehlo=1 auth=0/1 commands=1/2
>
> Etc. repeated many times.

Each trio of connect/lost connection/disconnect lines relates to one TCP
session. The prober is connecting, sending an EHLO SMTP  command (which
succeeds because the hostname has a valid syntax,) an AUTH SMTP command
which fails, and then a TCP RESET packet (or maybe a FIN) without the
formally correct QUIT SMTP command. The 'disconnect' lines describe that
behavior succinctly: ehlo=1 auth=0/1 commands=1/2


>
> The only other lines related to these connection are, nearly
> universally:
>
> Jan 27 11:46:19 mail postfix/anvil[54251]: statistics: max connection
> count 3 for (submission:77.105.44.25) at Jan 27 11:40:25
> Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: warning: hostname
> 77-105-44-25.adsl-2.sezampro.rs does not resolve to address
> 77.105.44.25: hostname nor servname provided, or not known
> Jan 27 11:40:25 mail postfix/submit/smtpd[62764]: warning: hostname
> 77-105-44-25.adsl-2.sezampro.rs does not resolve to address
> 77.105.44.25: hostname nor servname provided, or not known
>
> But the auth count never increases.


Right, because they are only trying to authenticate once per connection
and dropping the connection. If they had tried to authenticate 2 times
on the same connection, there would be one 'disconnect from' line with
'auth=0/2'





--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: auth=0/1

@lbutlr

On 27 Jan 2020, at 12:42, Bill Cole <[hidden email]> wrote:
> Right, because they are only trying to authenticate once per connection and dropping the connection. If they had tried to authenticate 2 times on the same connection, there would be one 'disconnect from' line with 'auth=0/2’

Ah, that does make sense. Thanks



--
We all need help with our feelings. Otherwise, we bottle them up, and
        before you know it powerful laxatives are involved.