1 Topic by lymkin

  • lymkin
  • Member
  • Offline
  • Registered: 2016-07-20
  • Posts: 11

Topic: How can I block excessive connection attempts

==== Required information ====
- iRedMail version (check /etc/iredmail-release):  0.9.5-1
- Linux/BSD distribution name and version:   Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?  No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I've searched and tried different things to try and stop when spammers try and connect over and over, but can't seem to find the trick to block connections completely after a defined number of attempts.

Here is an example of the logs of what I'm trying to stop.  If the same IP repeatedly attempts connections I want to block that IP after about 5-10 attempts.

*************** LOG ******************

Jan  5 13:38:56 www postfix/postscreen[30375]: PREGREET 13 after 0.12 from [185.165.29.117]:58568: EHLO Ye0vlJ\r\n
Jan  5 13:38:56 www postfix/postscreen[30375]: DNSBL rank 3 for [185.165.29.117]:58568
Jan  5 13:38:56 www postfix/postscreen[30375]: HANGUP after 0.24 from [185.165.29.117]:58568 in tests after SMTP handshake
Jan  5 13:38:56 www postfix/postscreen[30375]: DISCONNECT [185.165.29.117]:58568
Jan  5 13:38:56 www postfix/postscreen[30375]: CONNECT from [185.165.29.117]:58896 to [172.31.7.168]:25
Jan  5 13:38:56 www postfix/dnsblog[30379]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.2
Jan  5 13:38:56 www postfix/dnsblog[30379]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.4
Jan  5 13:38:56 www postfix/postscreen[30375]: PREGREET 13 after 0.12 from [185.165.29.117]:58896: EHLO 4Jz3H1\r\n
Jan  5 13:38:56 www postfix/postscreen[30375]: DNSBL rank 3 for [185.165.29.117]:58896
Jan  5 13:38:56 www postfix/postscreen[30375]: HANGUP after 0.24 from [185.165.29.117]:58896 in tests after SMTP handshake
Jan  5 13:38:56 www postfix/postscreen[30375]: DISCONNECT [185.165.29.117]:58896
Jan  5 13:38:57 www postfix/postscreen[30375]: CONNECT from [185.165.29.117]:59104 to [172.31.7.168]:25
Jan  5 13:38:57 www postfix/dnsblog[30385]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.4
Jan  5 13:38:57 www postfix/dnsblog[30385]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.2
Jan  5 13:38:57 www postfix/postscreen[30375]: PREGREET 15 after 0.12 from [185.165.29.117]:59104: EHLO f6o0qIOC\r\n
Jan  5 13:38:57 www postfix/postscreen[30375]: DNSBL rank 3 for [185.165.29.117]:59104
Jan  5 13:38:57 www postfix/postscreen[30375]: HANGUP after 0.24 from [185.165.29.117]:59104 in tests after SMTP handshake
Jan  5 13:38:57 www postfix/postscreen[30375]: DISCONNECT [185.165.29.117]:59104
Jan  5 13:38:57 www postfix/postscreen[30375]: CONNECT from [185.165.29.117]:59324 to [172.31.7.168]:25
Jan  5 13:38:57 www postfix/dnsblog[30384]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.2
Jan  5 13:38:57 www postfix/dnsblog[30384]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.4
Jan  5 13:38:57 www postfix/postscreen[30375]: PREGREET 17 after 0.12 from [185.165.29.117]:59324: EHLO ZZYoI4if0k\r\n
Jan  5 13:38:57 www postfix/postscreen[30375]: DNSBL rank 3 for [185.165.29.117]:59324
Jan  5 13:38:57 www postfix/postscreen[30375]: HANGUP after 0.24 from [185.165.29.117]:59324 in tests after SMTP handshake
Jan  5 13:38:57 www postfix/postscreen[30375]: DISCONNECT [185.165.29.117]:59324
Jan  5 13:38:58 www postfix/postscreen[30375]: CONNECT from [185.165.29.117]:59509 to [172.31.7.168]:25
Jan  5 13:38:58 www postfix/dnsblog[30376]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.4
Jan  5 13:38:58 www postfix/dnsblog[30376]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.2
Jan  5 13:38:58 www postfix/postscreen[30375]: PREGREET 14 after 0.12 from [185.165.29.117]:59509: EHLO yB3ekN5\r\n
Jan  5 13:38:58 www postfix/postscreen[30375]: DNSBL rank 3 for [185.165.29.117]:59509
Jan  5 13:38:58 www postfix/postscreen[30375]: HANGUP after 0.24 from [185.165.29.117]:59509 in tests after SMTP handshake
Jan  5 13:38:58 www postfix/postscreen[30375]: DISCONNECT [185.165.29.117]:59509
Jan  5 13:38:58 www postfix/postscreen[30375]: CONNECT from [185.165.29.117]:59776 to [172.31.7.168]:25
Jan  5 13:38:58 www postfix/dnsblog[30381]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.2
Jan  5 13:38:58 www postfix/dnsblog[30381]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.4
Jan  5 13:38:58 www postfix/postscreen[30375]: PREGREET 17 after 0.12 from [185.165.29.117]:59776: EHLO yoxIxrLQPu\r\n
Jan  5 13:38:58 www postfix/postscreen[30375]: DNSBL rank 3 for [185.165.29.117]:59776
Jan  5 13:38:58 www postfix/postscreen[30375]: HANGUP after 0.24 from [185.165.29.117]:59776 in tests after SMTP handshake
Jan  5 13:38:58 www postfix/postscreen[30375]: DISCONNECT [185.165.29.117]:59776
Jan  5 13:38:59 www postfix/postscreen[30375]: CONNECT from [185.165.29.117]:59969 to [172.31.7.168]:25
Jan  5 13:38:59 www postfix/dnsblog[30376]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.4
Jan  5 13:38:59 www postfix/dnsblog[30376]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.2
Jan  5 13:38:59 www postfix/postscreen[30375]: PREGREET 13 after 0.12 from [185.165.29.117]:59969: EHLO prwKDX\r\n
Jan  5 13:38:59 www postfix/postscreen[30375]: DNSBL rank 3 for [185.165.29.117]:59969
Jan  5 13:38:59 www postfix/postscreen[30375]: HANGUP after 0.24 from [185.165.29.117]:59969 in tests after SMTP handshake
Jan  5 13:38:59 www postfix/postscreen[30375]: DISCONNECT [185.165.29.117]:59969
Jan  5 13:38:59 www postfix/postscreen[30375]: CONNECT from [185.165.29.117]:60196 to [172.31.7.168]:25
Jan  5 13:38:59 www postfix/dnsblog[30380]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.2
Jan  5 13:38:59 www postfix/dnsblog[30380]: addr 185.165.29.117 listed by domain zen.spamhaus.org as 127.0.0.4
Jan  5 13:38:59 www postfix/postscreen[30375]: PREGREET 14 after 0.12 from [185.165.29.117]:60196: EHLO 9HHI4IG\r\n
Jan  5 13:38:59 www postfix/postscreen[30375]: DNSBL rank 3 for [185.165.29.117]:60196
Jan  5 13:38:59 www postfix/postscreen[30375]: HANGUP after 0.24 from [185.165.29.117]:60196 in tests after SMTP handshake

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: How can I block excessive connection attempts

I added one new Fail2ban regex rule yesterday in one iRedMail load-balance cluster, and it helps block A LOT spammers like this. Here's how you can get it blocked:

*) Download this new Fail2ban filter config file:

https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/fail2ban/filter.d/postfix.iredmail.conf

*) Replace /etc/fail2ban/filter.d/postfix.iredmail.conf by downloaded one.
*) Restart Fail2ban service.
*) Monitor log file to see them blocked.

3 Reply by lymkin

  • lymkin
  • Member
  • Offline
  • Registered: 2016-07-20
  • Posts: 11

Re: How can I block excessive connection attempts

I just now saw your response and have implemented your change.  I will monitor and let you know how it works out.  THANKS