1 Topic by virakocha

  • virakocha
  • Member
  • Offline
  • Registered: 2016-03-15
  • Posts: 13

Topic: lost connection after CONNECT from unknown

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release):  0.9.4
- Linux/BSD distribution name and version: Raspbian 8.0 on RaspberryPi2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySql
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? NO
- Related log if you're reporting an issue: 
====

Hi my log file is getting filled up by Attack and the IP is not added to Iptables by fail2ban

Here is a small print from the log file
Apr 13 20:20:17 mail postfix/postscreen[8354]: CONNECT from [155.133.82.65]:50734 to [91.88.1.20]:25
Apr 13 20:20:17 mail postfix/postscreen[8354]: PASS OLD [155.133.82.65]:50734
Apr 13 20:20:27 mail postfix/smtpd[8355]: connect from unknown[155.133.82.65]
Apr 13 20:20:27 mail postfix/smtpd[8355]: lost connection after CONNECT from unknown[155.133.82.65]
Apr 13 20:20:27 mail postfix/smtpd[8355]: disconnect from unknown[155.133.82.65]
Apr 13 20:23:14 mail postfix/postscreen[8403]: CONNECT from [155.133.82.65]:59941 to [91.88.1.20]:25
Apr 13 20:23:14 mail postfix/postscreen[8403]: PASS OLD [155.133.82.65]:59941
Apr 13 20:23:24 mail postfix/smtpd[8404]: connect from unknown[155.133.82.65]
Apr 13 20:23:24 mail postfix/smtpd[8404]: lost connection after CONNECT from unknown[155.133.82.65]
Apr 13 20:23:24 mail postfix/smtpd[8404]: disconnect from unknown[155.133.82.65]
Apr 13 20:26:12 mail postfix/postscreen[8418]: CONNECT from [155.133.82.65]:63095 to [91.88.1.20]:25
Apr 13 20:26:12 mail postfix/postscreen[8418]: PASS OLD [155.133.82.65]:63095
Apr 13 20:26:22 mail postfix/smtpd[8419]: connect from unknown[155.133.82.65]
Apr 13 20:26:22 mail postfix/smtpd[8419]: lost connection after CONNECT from unknown[155.133.82.65]
Apr 13 20:26:22 mail postfix/smtpd[8419]: disconnect from unknown[155.133.82.65]
Apr 13 20:29:13 mail postfix/postscreen[8422]: CONNECT from [155.133.82.65]:59236 to [91.88.1.20]:25
Apr 13 20:29:13 mail postfix/postscreen[8422]: PASS OLD [155.133.82.65]:59236
Apr 13 20:29:24 mail postfix/smtpd[8423]: connect from unknown[155.133.82.65]
Apr 13 20:29:24 mail postfix/smtpd[8423]: lost connection after CONNECT from unknown[155.133.82.65]
Apr 13 20:29:24 mail postfix/smtpd[8423]: disconnect from unknown[155.133.82.65]

failt2ban is working

ps -ef | grep fail2ban
root      1143     1  0 20:30 ?        00:00:04 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid
pi        1667  1269  0 20:40 pts/0    00:00:00 grep --color=auto fail2ban
How can i fight this attacks?

Creers Ziga

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,178

Re: lost connection after CONNECT from unknown

We don't have fail2ban rule to block client with such "error" message, that's why fail2ban doesn't block it.

These error message is not sufficient to identity the client is spam.