Quantcast

growing size of mail.log file - postfix logs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

growing size of mail.log file - postfix logs

Poliman - Serwis
Hi everyone. In mail.log file I have many lines like below:
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: SSL_accept error from house.census.shodan.io[89.248.172.16]: -1
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: warning: TLS library problem: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:966:
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: disconnect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14637]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14637]: disconnect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: connect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: disconnect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14637]: connect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14637]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14637]: disconnect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: connect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: disconnect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14637]: connect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:31 vps342401 postfix/smtps/smtpd[14637]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:31 vps342401 postfix/smtps/smtpd[14637]: disconnect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:31 vps342401 postfix/smtps/smtpd[14642]: connect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:31 vps342401 postfix/smtps/smtpd[14642]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:31 vps342401 postfix/smtps/smtpd[14642]: disconnect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:32 vps342401 postfix/smtps/smtpd[14637]: connect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:32 vps342401 postfix/smtps/smtpd[14637]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:32 vps342401 postfix/smtps/smtpd[14637]: disconnect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:32 vps342401 postfix/smtps/smtpd[14642]: connect from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:32 vps342401 postfix/smtps/smtpd[14642]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
Mar  2 06:53:32 vps342401 postfix/smtps/smtpd[14642]: disconnect from house.census.shodan.io[89.248.172.16]

and

Mar  2 07:15:01 vps342401 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<BctoWblJjAB/AAAB>
Mar  2 07:15:01 vps342401 postfix/smtpd[15427]: lost connection after CONNECT from localhost[127.0.0.1]
Mar  2 07:15:01 vps342401 postfix/smtpd[15427]: disconnect from localhost[127.0.0.1]
Mar  2 07:20:01 vps342401 postfix/smtpd[15591]: connect from localhost[127.0.0.1]
Mar  2 07:20:01 vps342401 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<+TxOa7lJ/AB/AAAB>
Mar  2 07:20:01 vps342401 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<z1FOa7lJmAB/AAAB>
Mar  2 07:20:01 vps342401 postfix/smtpd[15591]: lost connection after CONNECT from localhost[127.0.0.1]
Mar  2 07:20:01 vps342401 postfix/smtpd[15591]: disconnect from localhost[127.0.0.1]
Mar  2 07:25:01 vps342401 postfix/smtpd[15751]: connect from localhost[127.0.0.1]
Mar  2 07:25:01 vps342401 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<znkzfblJCAB/AAAB>

From two days log file has 18MB. What is wrong?


--
Pozdrawiam / Best Regards
Piotr Bracha



tel. 534 555 877
[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: growing size of mail.log file - postfix logs

Patrick Ben Koetter-2
* Poliman - Serwis <[hidden email]>:
> Hi everyone. In mail.log file I have many lines like below:
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: SSL_accept error from house.census.shodan.io[89.248.172.16]: -1
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: warning: TLS library problem: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:966:

Postfix refuses to use SSLv3.


> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: disconnect from house.census.shodan.io[89.248.172.16]
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14637]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]

house.census.shodan.io tries to connect your Postfix server and then nothing
happens. Unless every other host has this problem too, you will have to talk
to the people who run house.census.shodan.io to find out why their client
doesn't proceed with a SMTP session. Chances are their hosts problem is, it
is unable to use any other/newer TLS protocol version.


> and
>
> Mar  2 07:15:01 vps342401 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<BctoWblJjAB/AAAB>
> Mar  2 07:20:01 vps342401 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<+TxOa7lJ/AB/AAAB>
> Mar  2 07:20:01 vps342401 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<z1FOa7lJmAB/AAAB>
> Mar  2 07:25:01 vps342401 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<znkzfblJCAB/AAAB>

Something - a program ? - on your server connects to your dovecot service and
disconnects. Find out what it is.

 
> From two days log file has 18MB. What is wrong?

The log size is not necessarily an indicator that something is wrong on your
machine. On busy machines 18 MB growth is a matter of minutes.

How recurring are the errors in the LOG? Is it always the same error? Is it
always the same host having problems with your server?

p@rick


--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: growing size of mail.log file - postfix logs

lists@lazygranch.com
On Thu, 2 Mar 2017 08:34:59 +0100
Patrick Ben Koetter <[hidden email]> wrote:

> * Poliman - Serwis <[hidden email]>:
> > Hi everyone. In mail.log file I have many lines like below:
> > Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: SSL_accept
> > error from house.census.shodan.io[89.248.172.16]: -1 Mar  2
> > 06:53:30 vps342401 postfix/smtps/smtpd[14642]: warning: TLS library
> > problem: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong
> > version number:s3_srvr.c:966:  
>
> Postfix refuses to use SSLv3.
>
>
> > Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: lost
> > connection after CONNECT from house.census.shodan.io[89.248.172.16]
> > Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: disconnect
> > from house.census.shodan.io[89.248.172.16] Mar  2 06:53:30
> > vps342401 postfix/smtps/smtpd[14637]: lost connection after CONNECT
> > from house.census.shodan.io[89.248.172.16]  
>
> house.census.shodan.io tries to connect your Postfix server and then
> nothing happens. Unless every other host has this problem too, you
> will have to talk to the people who run house.census.shodan.io to
> find out why their client doesn't proceed with a SMTP session.
> Chances are their hosts problem is, it is unable to use any
> other/newer TLS protocol version.
>
>
> > and
> >
> > Mar  2 07:15:01 vps342401 dovecot: pop3-login: Disconnected (no
> > auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1,
> > secured, session=<BctoWblJjAB/AAAB> Mar  2 07:20:01 vps342401
> > dovecot: imap-login: Disconnected (disconnected before auth was
> > ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1,
> > secured, session=<+TxOa7lJ/AB/AAAB> Mar  2 07:20:01 vps342401
> > dovecot: pop3-login: Disconnected (no auth attempts in 0 secs):
> > user=<>, rip=127.0.0.1, lip=127.0.0.1, secured,
> > session=<z1FOa7lJmAB/AAAB> Mar  2 07:25:01 vps342401 dovecot:
> > imap-login: Disconnected (disconnected before auth was ready,
> > waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured,
> > session=<znkzfblJCAB/AAAB>  
>
> Something - a program ? - on your server connects to your dovecot
> service and disconnects. Find out what it is.
>
>  
> > From two days log file has 18MB. What is wrong?  
>
> The log size is not necessarily an indicator that something is wrong
> on your machine. On busy machines 18 MB growth is a matter of minutes.
>
> How recurring are the errors in the LOG? Is it always the same error?
> Is it always the same host having problems with your server?
>
> p@rick

I block that server from all but port 25. It will password guess until
the cows come home.  I had no idea it was associated with shodan, but
now all the more reason to block it.

#novogara
ipfw table 1 add  89.248.160.0/21
ipfw table 1 add  89.248.169.0/24
ipfw table 1 add  89.248.170.0/23
ipfw table 1 add  89.248.172.0/23
ipfw table 1 add  89.248.174.0/24
ipfw table 1 add  93.174.88.0/21
ipfw table 1 add  94.102.48.0/20

There is a snowshoe type botnet password guesser hosted at Digital
Ocean. Being a customer of them, I complained. I stopped for a few
days, but it back again. They password guess in sequence.

138.68.90.75
139.59.158.92
207.154.221.122

Also the "141" block of the University of Michigan. I have contacted
them to see if they are doing "research", but I get no reply.

ipfw table 3 add 141.211.0.0/16
ipfw table 3 add 141.212.0.0/16
ipfw table 3 add 141.213.0.0/16
ipfw table 3 add 141.214.0.0/16

Mind you, I can block these ports because I'm the only customer of my
server.

Yes I know fail2ban is the way to go, but my cellphone creates some
chatter that would trigger an aggressive fail2ban.






>
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: growing size of mail.log file - postfix logs

Wilfried.Essig@Essignetz.de
In reply to this post by Poliman - Serwis
> From two days log file has 18MB. What is wrong?


Do you have logging still active from your threat

"dovecot cram-md5 setting break sending emails"?


Willi

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: growing size of mail.log file - postfix logs

Poliman - Serwis
In reply to this post by Patrick Ben Koetter-2
Strange thing with
Mar  2 07:25:01 vps342401 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<znkzfblJCAB/AAAB>
and
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: disconnect from house.census.shodan.io[89.248.172.16]
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14637]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]

because I've checked and house.census.shodan.io is on few spamlists. Second thing that I have clear server with few like apache, php, mysql, pureftp, postfix, dovecot and I seriously have no idea how check what connect/disconnect to dovecot service. I point out on size of the file, because file from 26 Feb has only 6,3MB, from 20 Feb only 2MB. So it looks like size is growing.

2017-03-02 8:34 GMT+01:00 Patrick Ben Koetter <[hidden email]>:
* Poliman - Serwis <[hidden email]>:
> Hi everyone. In mail.log file I have many lines like below:
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: SSL_accept error from house.census.shodan.io[89.248.172.16]: -1
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: warning: TLS library problem: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:966:

Postfix refuses to use SSLv3.


> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: disconnect from house.census.shodan.io[89.248.172.16]
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14637]: lost connection after CONNECT from house.census.shodan.io[89.248.172.16]

house.census.shodan.io tries to connect your Postfix server and then nothing
happens. Unless every other host has this problem too, you will have to talk
to the people who run house.census.shodan.io to find out why their client
doesn't proceed with a SMTP session. Chances are their hosts problem is, it
is unable to use any other/newer TLS protocol version.


> and
>
> Mar  2 07:15:01 vps342401 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<BctoWblJjAB/AAAB>
> Mar  2 07:20:01 vps342401 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<+TxOa7lJ/AB/AAAB>
> Mar  2 07:20:01 vps342401 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<z1FOa7lJmAB/AAAB>
> Mar  2 07:25:01 vps342401 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<znkzfblJCAB/AAAB>

Something - a program ? - on your server connects to your dovecot service and
disconnects. Find out what it is.


> From two days log file has 18MB. What is wrong?

The log size is not necessarily an indicator that something is wrong on your
machine. On busy machines 18 MB growth is a matter of minutes.

How recurring are the errors in the LOG? Is it always the same error? Is it
always the same host having problems with your server?

p@rick


--
[*] sys4 AG

https://sys4.de, <a href="tel:%2B49%20%2889%29%2030%2090%2046%2064" value="+498930904664">+49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




--
Pozdrawiam / Best Regards
Piotr Bracha



tel. 534 555 877
[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: growing size of mail.log file - postfix logs

Viktor Dukhovni
In reply to this post by Poliman - Serwis
On Thu, Mar 02, 2017 at 08:06:57AM +0100, Poliman - Serwis wrote:

> Hi everyone. In mail.log file I have many lines like below:
> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: SSL_accept error from
> house.census.shodan.io[89.248.172.16]: -1

See

    https://www.shodan.io/

This plus the word "census" is a pretty clear hint that this site
does whole-internet scans for connected devices and records supported
TLS versions, ...

You can just ignore them, or even apply firewall rules, if you find
the log entries sufficiently annoying to take action.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: growing size of mail.log file - postfix logs

Phil Stracchino
On 03/02/17 09:09, Viktor Dukhovni wrote:

> On Thu, Mar 02, 2017 at 08:06:57AM +0100, Poliman - Serwis wrote:
>
>> Hi everyone. In mail.log file I have many lines like below:
>> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: SSL_accept error from
>> house.census.shodan.io[89.248.172.16]: -1
>
> See
>
>     https://www.shodan.io/
>
> This plus the word "census" is a pretty clear hint that this site
> does whole-internet scans for connected devices and records supported
> TLS versions, ...


Specifically, shodan.io scans the 'net for insecure IoT devices.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: 603.293.8485
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: growing size of mail.log file - postfix logs

Poliman - Serwis
Thanks guys for pro tips. ;)

2017-03-02 15:23 GMT+01:00 Phil Stracchino <[hidden email]>:
On 03/02/17 09:09, Viktor Dukhovni wrote:
> On Thu, Mar 02, 2017 at 08:06:57AM +0100, Poliman - Serwis wrote:
>
>> Hi everyone. In mail.log file I have many lines like below:
>> Mar  2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: SSL_accept error from
>> house.census.shodan.io[89.248.172.16]: -1
>
> See
>
>     https://www.shodan.io/
>
> This plus the word "census" is a pretty clear hint that this site
> does whole-internet scans for connected devices and records supported
> TLS versions, ...


Specifically, shodan.io scans the 'net for insecure IoT devices.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: <a href="tel:603.293.8485" value="+16032938485">603.293.8485



--
Pozdrawiam / Best Regards
Piotr Bracha



tel. 534 555 877
[hidden email]
Loading...