repeated connect and disconnect

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

repeated connect and disconnect

lists@lazygranch.com
Is there something I should be doing to mitigate this problem?

Oct  8 02:11:42 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212]
Oct  8 02:11:43 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212]
Oct  8 02:11:43 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212]
Oct  8 02:11:43 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:44 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212]
Oct  8 02:11:45 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212]
Oct  8 02:11:45 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:45 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212]
Oct  8 02:11:46 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212]
Oct  8 02:11:46 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:46 myserver postfix/smtpd[11630]: lost connection after CONNECT from unknown[180.123.163.212]
Oct  8 02:11:46 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] commands=0/0
Oct  8 02:11:46 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212]
Oct  8 02:11:47 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212]
Oct  8 02:11:47 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:47 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11630]: lost connection after EHLO from unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:48 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:50 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212]
Oct  8 02:11:53 myserver postfix/smtpd[11630]: lost connection after EHLO from unknown[180.123.163.212]
Oct  8 02:11:53 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:54 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212]
Oct  8 02:11:54 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212]
Oct  8 02:11:54 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:54 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11630]: lost connection after EHLO from unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:55 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11632]: warning: Connection rate limit exceeded: 11 from unknown[180.123.163.212] for service smtp
Oct  8 02:11:55 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] commands=0/0
Oct  8 02:11:55 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11630]: warning: Connection rate limit exceeded: 12 from unknown[180.123.163.212] for service smtp
Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] commands=0/0
Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max connection rate 12/60s for (smtp:180.123.163.212) at Oct  8 02:11:55
Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max connection count 2 for (smtp:180.123.163.212) at Oct  8 02:11:43
Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max cache size 1 at Oct  8 02:11:42

-------------------------------------
postconf mail_version
mail_version = 3.5.7
------------------------------------


smtpd_client_auth_rate_limit = 20
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 3
smtpd_client_recipient_rate_limit = 40
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre, reject_unknown_reverse_client_hostname, check_client_access hash:/etc/postfix/spamsources
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = 6
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
smtpd_recipient_limit = 20
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_recipient, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client rabl.nuclearelephant.com, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_address, check_sender_access hash:/etc/postfix/spamsources
smtpd_soft_error_limit = 3

---------
Linux  3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux


Reply | Threaded
Open this post in threaded view
|

Re: repeated connect and disconnect

Dominic Raferd
On Thu, 8 Oct 2020 at 04:03, [hidden email] <[hidden email]> wrote:

>
> Is there something I should be doing to mitigate this problem?
>
> Oct  8 02:11:42 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212]
> Oct  8 02:11:43 myserver postfix/smtpd[11632]: connect from unknown[180.123.163.212]
> Oct  8 02:11:43 myserver postfix/smtpd[11632]: lost connection after EHLO from unknown[180.123.163.212]
> Oct  8 02:11:43 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] ehlo=1 commands=1
> ...
> Oct  8 02:11:55 myserver postfix/smtpd[11632]: warning: Connection rate limit exceeded: 11 from unknown[180.123.163.212] for service smtp
> Oct  8 02:11:55 myserver postfix/smtpd[11632]: disconnect from unknown[180.123.163.212] commands=0/0
> Oct  8 02:11:55 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212]
> Oct  8 02:11:55 myserver postfix/smtpd[11630]: warning: Connection rate limit exceeded: 12 from unknown[180.123.163.212] for service smtp
> Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from unknown[180.123.163.212] commands=0/0
> Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max connection rate 12/60s for (smtp:180.123.163.212) at Oct  8 02:11:55
> Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max connection count 2 for (smtp:180.123.163.212) at Oct  8 02:11:43
> Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max cache size 1 at Oct  8 02:11:42


smtpd is doing what you told it to and apart from the crud in the log
I don't think there is a problem. But otherwise, use postscreen +
RBLs? This ip address is blocklisted by many RBLs, including
zen.spamhaus.org.
Reply | Threaded
Open this post in threaded view
|

Re: repeated connect and disconnect

Viktor Dukhovni
In reply to this post by lists@lazygranch.com
On Wed, Oct 07, 2020 at 08:02:02PM -0700, [hidden email] wrote:

> Is there something I should be doing to mitigate this problem?
>
> Oct  8 02:11:42 myserver postfix/smtpd[11630]: connect from unknown[180.123.163.212]

Were you expecting email from the below network?  If not, you don't
need to worry about bots checking out your MTA.  [ Not all bots are bad,
my DANE survey bot will connect to your MX hosts ~once a day to each MX
host IP address (for those MX hosts that have DANE TLSA records), but it
will politely send "QUIT" after STARTTLS[1] and a post-TLS EHLO. ]

    inetnum:        180.96.0.0 - 180.127.255.255
    netname:        CHINANET-JS
    descr:          Chinanet Jiangsu Province Network
    descr:          China Telecom
    descr:          No.31,jingrong street
    descr:          Beijing 100032
    country:        CN
    admin-c:        CH93-AP
    tech-c:         CJ186-AP
    remarks:        service provider
    status:         ALLOCATED PORTABLE
    remarks:        --------------------------------------------------------
    remarks:        To report network abuse, please contact mnt-irt
    remarks:        For troubleshooting, please contact tech-c and admin-c
    remarks:        Report invalid contact via www.apnic.net/invalidcontact
    remarks:        --------------------------------------------------------
    mnt-by:         APNIC-HM
    mnt-lower:      MAINT-CHINANET-JS
    last-modified:  2016-05-04T00:18:52Z
    source:         APNIC
    mnt-irt:        IRT-CHINANET-CN

    irt:            IRT-CHINANET-CN
    address:        No.31 ,jingrong street,beijing
    address:        100032
    e-mail:         [hidden email]
    abuse-mailbox:  [hidden email]
    admin-c:        CH93-AP
    tech-c:         CH93-AP
    auth:           # Filtered
    mnt-by:         MAINT-CHINANET
    last-modified:  2010-11-15T00:31:55Z
    source:         APNIC

    role:           CHINANET JIANGSU
    address:        260 Zhongyang Road,Nanjing 210037
    country:        CN
    phone:          +86-25-86588231
    phone:          +86-25-86588745
    fax-no:         +86-25-86588104
    e-mail:         [hidden email]
    remarks:        send anti-spam reports to [hidden email]
    remarks:        send abuse reports to [hidden email]
    remarks:        times in GMT+8
    remarks:        www.jsinfo.net
    admin-c:        CH360-AP
    tech-c:         CS306-AP
    tech-c:         CN142-AP
    nic-hdl:        CJ186-AP
    notify:         [hidden email]
    mnt-by:         MAINT-CHINANET-JS
    last-modified:  2020-04-02T09:18:02Z
    source:         APNIC

    person:         Chinanet Hostmaster
    nic-hdl:        CH93-AP
    e-mail:         [hidden email]
    address:        No.31 ,jingrong street,beijing
    address:        100032
    phone:          +86-10-58501724
    fax-no:         +86-10-58501724
    country:        CN
    mnt-by:         MAINT-CHINANET
    last-modified:  2014-02-27T03:37:38Z
    source:         APNIC

--
    Viktor.

[1] https://stats.dnssec-tools.org/about.html

If so, you'll see log entries like:

    Oct  7 15:23:51 amnesiac postfix/smtpd[94878]: connect
        from dnssec-stats.ant.isi.edu[128.9.29.254]
    Oct  7 15:23:52 amnesiac postfix/smtpd[94878]:
        Anonymous TLS connection established
        from dnssec-stats.ant.isi.edu[128.9.29.254]:
        TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
        key-exchange X25519 server-signature RSA-PSS (2048 bits)
        server-digest SHA256
    Oct  7 15:23:52 amnesiac postfix/smtpd[94878]: disconnect
        from dnssec-stats.ant.isi.edu[128.9.29.254]
        ehlo=2 starttls=1 quit=1 commands=4

    Oct  7 15:23:53 amnesiac postfix/smtpd[94878]: connect
        from dnssec-stats.ant.isi.edu[2001:1878:401::8009:1dfe]
    Oct  7 15:23:54 amnesiac postfix/smtpd[94878]:
        Anonymous TLS connection established
        from dnssec-stats.ant.isi.edu[2001:1878:401::8009:1dfe]:
        TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
        key-exchange X25519 server-signature RSA-PSS (2048 bits)
        server-digest SHA256
    Oct  7 15:23:54 amnesiac postfix/smtpd[94878]: disconnect
        from dnssec-stats.ant.isi.edu[2001:1878:401::8009:1dfe]
        ehlo=2 starttls=1 quit=1 commands=4
Reply | Threaded
Open this post in threaded view
|

Re: repeated connect and disconnect

Jaroslaw Rafa
In reply to this post by lists@lazygranch.com
Dnia  7.10.2020 o godz. 20:02:02 [hidden email] pisze:
> Is there something I should be doing to mitigate this problem?

Firewall out IPs that show such behaviour? It's what I usually do...
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: repeated connect and disconnect

Zsombor B
In reply to this post by lists@lazygranch.com

Just set up fail2ban, it will take care of this.



Idézet ([hidden email]):

> Is there something I should be doing to mitigate this problem?
>
> Oct  8 02:11:42 myserver postfix/smtpd[11630]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:43 myserver postfix/smtpd[11632]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:43 myserver postfix/smtpd[11632]: lost connection after  
> EHLO from unknown[180.123.163.212]
> Oct  8 02:11:43 myserver postfix/smtpd[11632]: disconnect from  
> unknown[180.123.163.212] ehlo=1 commands=1
> Oct  8 02:11:44 myserver postfix/smtpd[11632]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:45 myserver postfix/smtpd[11632]: lost connection after  
> EHLO from unknown[180.123.163.212]
> Oct  8 02:11:45 myserver postfix/smtpd[11632]: disconnect from  
> unknown[180.123.163.212] ehlo=1 commands=1
> Oct  8 02:11:45 myserver postfix/smtpd[11632]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:46 myserver postfix/smtpd[11632]: lost connection after  
> EHLO from unknown[180.123.163.212]
> Oct  8 02:11:46 myserver postfix/smtpd[11632]: disconnect from  
> unknown[180.123.163.212] ehlo=1 commands=1
> Oct  8 02:11:46 myserver postfix/smtpd[11630]: lost connection after  
> CONNECT from unknown[180.123.163.212]
> Oct  8 02:11:46 myserver postfix/smtpd[11630]: disconnect from  
> unknown[180.123.163.212] commands=0/0
> Oct  8 02:11:46 myserver postfix/smtpd[11632]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:47 myserver postfix/smtpd[11632]: lost connection after  
> EHLO from unknown[180.123.163.212]
> Oct  8 02:11:47 myserver postfix/smtpd[11632]: disconnect from  
> unknown[180.123.163.212] ehlo=1 commands=1
> Oct  8 02:11:47 myserver postfix/smtpd[11630]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:48 myserver postfix/smtpd[11630]: lost connection after  
> EHLO from unknown[180.123.163.212]
> Oct  8 02:11:48 myserver postfix/smtpd[11630]: disconnect from  
> unknown[180.123.163.212] ehlo=1 commands=1
> Oct  8 02:11:48 myserver postfix/smtpd[11632]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:48 myserver postfix/smtpd[11632]: lost connection after  
> EHLO from unknown[180.123.163.212]
> Oct  8 02:11:48 myserver postfix/smtpd[11632]: disconnect from  
> unknown[180.123.163.212] ehlo=1 commands=1
> Oct  8 02:11:50 myserver postfix/smtpd[11630]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:53 myserver postfix/smtpd[11630]: lost connection after  
> EHLO from unknown[180.123.163.212]
> Oct  8 02:11:53 myserver postfix/smtpd[11630]: disconnect from  
> unknown[180.123.163.212] ehlo=1 commands=1
> Oct  8 02:11:54 myserver postfix/smtpd[11632]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:54 myserver postfix/smtpd[11632]: lost connection after  
> EHLO from unknown[180.123.163.212]
> Oct  8 02:11:54 myserver postfix/smtpd[11632]: disconnect from  
> unknown[180.123.163.212] ehlo=1 commands=1
> Oct  8 02:11:54 myserver postfix/smtpd[11630]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:55 myserver postfix/smtpd[11630]: lost connection after  
> EHLO from unknown[180.123.163.212]
> Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from  
> unknown[180.123.163.212] ehlo=1 commands=1
> Oct  8 02:11:55 myserver postfix/smtpd[11632]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:55 myserver postfix/smtpd[11632]: warning: Connection  
> rate limit exceeded: 11 from unknown[180.123.163.212] for service smtp
> Oct  8 02:11:55 myserver postfix/smtpd[11632]: disconnect from  
> unknown[180.123.163.212] commands=0/0
> Oct  8 02:11:55 myserver postfix/smtpd[11630]: connect from  
> unknown[180.123.163.212]
> Oct  8 02:11:55 myserver postfix/smtpd[11630]: warning: Connection  
> rate limit exceeded: 12 from unknown[180.123.163.212] for service smtp
> Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from  
> unknown[180.123.163.212] commands=0/0
> Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max  
> connection rate 12/60s for (smtp:180.123.163.212) at Oct  8 02:11:55
> Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max  
> connection count 2 for (smtp:180.123.163.212) at Oct  8 02:11:43
> Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max cache  
> size 1 at Oct  8 02:11:42
>
> -------------------------------------
> postconf mail_version
> mail_version = 3.5.7
> ------------------------------------
>
>
> smtpd_client_auth_rate_limit = 20
> smtpd_client_connection_count_limit = 10
> smtpd_client_connection_rate_limit = 10
> smtpd_client_new_tls_session_rate_limit = 3
> smtpd_client_recipient_rate_limit = 40
> smtpd_client_restrictions = permit_sasl_authenticated,  
> permit_mynetworks, reject_unauth_destination,  
> check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,  
> reject_unknown_reverse_client_hostname, check_client_access  
> hash:/etc/postfix/spamsources
> smtpd_error_sleep_time = 2s
> smtpd_hard_error_limit = 6
> smtpd_helo_required = yes
> smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
> smtpd_recipient_limit = 20
> smtpd_recipient_restrictions = permit_sasl_authenticated,  
> permit_mynetworks, reject_unauth_destination,  
> reject_unauth_pipelining, reject_non_fqdn_sender,  
> reject_unknown_sender_domain, reject_unknown_recipient_domain,  
> reject_non_fqdn_recipient, check_client_access  
> hash:/etc/postfix/client_checks, check_sender_access  
> hash:/etc/postfix/sender_checks, reject_rbl_client bl.spamcop.net,  
> reject_rbl_client b.barracudacentral.org, reject_rbl_client  
> cbl.abuseat.org, reject_rbl_client rabl.nuclearelephant.com,  
> reject_rbl_client zen.spamhaus.org, check_policy_service  
> unix:private/policy
> smtpd_relay_restrictions = permit_sasl_authenticated,  
> permit_mynetworks, reject_unauth_destination, check_policy_service  
> unix:private/policy
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = permit_sasl_authenticated,  
> permit_mynetworks, reject_unauth_destination,  
> reject_unknown_address, check_sender_access  
> hash:/etc/postfix/spamsources
> smtpd_soft_error_limit = 3
>
> ---------
> Linux  3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC  
> 2020 x86_64 x86_64 x86_64 GNU/Linux


Reply | Threaded
Open this post in threaded view
|

Re: repeated connect and disconnect

Marko Horn
hello,

---
Mitten drin statt nur Datei!

Am 2020-10-08 11:54, schrieb Zsombor B:

> Just set up fail2ban, it will take care of this.
>
>
>
> Idézet ([hidden email]):
>
>> Is there something I should be doing to mitigate this problem?
>>
>> Oct  8 02:11:42 myserver postfix/smtpd[11630]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:43 myserver postfix/smtpd[11632]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:43 myserver postfix/smtpd[11632]: lost connection after  
>> EHLO from unknown[180.123.163.212]
>> Oct  8 02:11:43 myserver postfix/smtpd[11632]: disconnect from  
>> unknown[180.123.163.212] ehlo=1 commands=1
>> Oct  8 02:11:44 myserver postfix/smtpd[11632]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:45 myserver postfix/smtpd[11632]: lost connection after  
>> EHLO from unknown[180.123.163.212]
>> Oct  8 02:11:45 myserver postfix/smtpd[11632]: disconnect from  
>> unknown[180.123.163.212] ehlo=1 commands=1
>> Oct  8 02:11:45 myserver postfix/smtpd[11632]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:46 myserver postfix/smtpd[11632]: lost connection after  
>> EHLO from unknown[180.123.163.212]
>> Oct  8 02:11:46 myserver postfix/smtpd[11632]: disconnect from  
>> unknown[180.123.163.212] ehlo=1 commands=1
>> Oct  8 02:11:46 myserver postfix/smtpd[11630]: lost connection after  
>> CONNECT from unknown[180.123.163.212]
>> Oct  8 02:11:46 myserver postfix/smtpd[11630]: disconnect from  
>> unknown[180.123.163.212] commands=0/0
>> Oct  8 02:11:46 myserver postfix/smtpd[11632]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:47 myserver postfix/smtpd[11632]: lost connection after  
>> EHLO from unknown[180.123.163.212]
>> Oct  8 02:11:47 myserver postfix/smtpd[11632]: disconnect from  
>> unknown[180.123.163.212] ehlo=1 commands=1
>> Oct  8 02:11:47 myserver postfix/smtpd[11630]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:48 myserver postfix/smtpd[11630]: lost connection after  
>> EHLO from unknown[180.123.163.212]
>> Oct  8 02:11:48 myserver postfix/smtpd[11630]: disconnect from  
>> unknown[180.123.163.212] ehlo=1 commands=1
>> Oct  8 02:11:48 myserver postfix/smtpd[11632]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:48 myserver postfix/smtpd[11632]: lost connection after  
>> EHLO from unknown[180.123.163.212]
>> Oct  8 02:11:48 myserver postfix/smtpd[11632]: disconnect from  
>> unknown[180.123.163.212] ehlo=1 commands=1
>> Oct  8 02:11:50 myserver postfix/smtpd[11630]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:53 myserver postfix/smtpd[11630]: lost connection after  
>> EHLO from unknown[180.123.163.212]
>> Oct  8 02:11:53 myserver postfix/smtpd[11630]: disconnect from  
>> unknown[180.123.163.212] ehlo=1 commands=1
>> Oct  8 02:11:54 myserver postfix/smtpd[11632]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:54 myserver postfix/smtpd[11632]: lost connection after  
>> EHLO from unknown[180.123.163.212]
>> Oct  8 02:11:54 myserver postfix/smtpd[11632]: disconnect from  
>> unknown[180.123.163.212] ehlo=1 commands=1
>> Oct  8 02:11:54 myserver postfix/smtpd[11630]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:55 myserver postfix/smtpd[11630]: lost connection after  
>> EHLO from unknown[180.123.163.212]
>> Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from  
>> unknown[180.123.163.212] ehlo=1 commands=1
>> Oct  8 02:11:55 myserver postfix/smtpd[11632]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:55 myserver postfix/smtpd[11632]: warning: Connection  
>> rate limit exceeded: 11 from unknown[180.123.163.212] for service smtp
>> Oct  8 02:11:55 myserver postfix/smtpd[11632]: disconnect from  
>> unknown[180.123.163.212] commands=0/0
>> Oct  8 02:11:55 myserver postfix/smtpd[11630]: connect from  
>> unknown[180.123.163.212]
>> Oct  8 02:11:55 myserver postfix/smtpd[11630]: warning: Connection  
>> rate limit exceeded: 12 from unknown[180.123.163.212] for service smtp
>> Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from  
>> unknown[180.123.163.212] commands=0/0
>> Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max  
>> connection rate 12/60s for (smtp:180.123.163.212) at Oct  8 02:11:55
>> Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max  
>> connection count 2 for (smtp:180.123.163.212) at Oct  8 02:11:43
>> Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max cache  
>> size 1 at Oct  8 02:11:42
>>
>> -------------------------------------
>> postconf mail_version
>> mail_version = 3.5.7
>> ------------------------------------
>>
>>
>> smtpd_client_auth_rate_limit = 20
>> smtpd_client_connection_count_limit = 10
>> smtpd_client_connection_rate_limit = 10
>> smtpd_client_new_tls_session_rate_limit = 3
>> smtpd_client_recipient_rate_limit = 40
>> smtpd_client_restrictions = permit_sasl_authenticated,  
>> permit_mynetworks, reject_unauth_destination,  
>> check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,  
>> reject_unknown_reverse_client_hostname, check_client_access  
>> hash:/etc/postfix/spamsources
>> smtpd_error_sleep_time = 2s
>> smtpd_hard_error_limit = 6
>> smtpd_helo_required = yes
>> smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
>> smtpd_recipient_limit = 20
>> smtpd_recipient_restrictions = permit_sasl_authenticated,  
>> permit_mynetworks, reject_unauth_destination,  
>> reject_unauth_pipelining, reject_non_fqdn_sender,  
>> reject_unknown_sender_domain, reject_unknown_recipient_domain,  
>> reject_non_fqdn_recipient, check_client_access  
>> hash:/etc/postfix/client_checks, check_sender_access  
>> hash:/etc/postfix/sender_checks, reject_rbl_client bl.spamcop.net,  
>> reject_rbl_client b.barracudacentral.org, reject_rbl_client  
>> cbl.abuseat.org, reject_rbl_client rabl.nuclearelephant.com,  
>> reject_rbl_client zen.spamhaus.org, check_policy_service  
>> unix:private/policy
>> smtpd_relay_restrictions = permit_sasl_authenticated,  
>> permit_mynetworks, reject_unauth_destination, check_policy_service  
>> unix:private/policy
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_path = private/auth
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_type = dovecot
>> smtpd_sender_restrictions = permit_sasl_authenticated,  
>> permit_mynetworks, reject_unauth_destination,  reject_unknown_address,
>> check_sender_access  hash:/etc/postfix/spamsources
>> smtpd_soft_error_limit = 3

on some server i limit this with iptables.
with "shorewall" it is easy to configure.
i limit the connects per second for each unique ip.
this works well. ofcourse you can also do it with iptables standalone if
you speak iptablish :-)

greets marko



>>
>> ---------
>> Linux  3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC  
>> 2020 x86_64 x86_64 x86_64 GNU/Linux

Reply | Threaded
Open this post in threaded view
|

Re: repeated connect and disconnect

Benny Pedersen-2
In reply to this post by lists@lazygranch.com
[hidden email] skrev den 2020-10-08 05:02:
> Is there something I should be doing to mitigate this problem?

remote can solve it by disable ehlo or starttls

> ---------
> Linux  3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020
> x86_64 x86_64 x86_64 GNU/Linux

how old is this kernel.....
Reply | Threaded
Open this post in threaded view
|

Re: repeated connect and disconnect

@lbutlr
In reply to this post by lists@lazygranch.com
On 07 Oct 2020, at 21:02, [hidden email] wrote:
> Is there something I should be doing to mitigate this problem?

Fail2ban or sshguard can both see abuse like this and firewall the IP, I believe. I would add zen to the RBL lit, but really, nothing is happening here other than annoying log lines.





--
BART BUCKS ARE NOT LEGAL TENDER Bart chalkboard Ep. 8F06