Re: [Fail2ban-users] extra postfix bans

[Gary Gapinski via Fail2ban-users]

  
  
    I just updated https://github.com/GaryGapinski/fail2ban-extras/blob/master/filter.d/postfix-extra.conf#L22
      to account for that (had it in testing since 2020-02-21 but forgot
      to commit the change). And I still have to devise and test a regex
      to catch a "disconnect from … unknown=0/1".
    The more common ("… lost connection after UNKNOWN …") ones
      I've seen use a "HELP" command without the improper pipelining.
      This was discussed on the fail2ban-users list last February:
    
      
        
          On 2/21/20 1:21 PM, Gary Gapinski
            via Fail2ban-users wrote:
          
          I
            had not previously noticed "lost connection after UNKNOWN…"
            but will add that as well as the companion regex for the
            disconnect.
            Feb 11 12:17:39 mail postfix/smtpd[23758]: connect from
              unknown[240e:f7:4f01:c::3]
              Feb 11 12:17:42 mail postfix/smtpd[23758]: lost connection
              after UNKNOWN from unknown[240e:f7:4f01:c::3]
              Feb 11 12:17:42 mail postfix/smtpd[23758]: disconnect from
              unknown[240e:f7:4f01:c::3] ehlo=1 unknown=0/1 commands=1/2
            
          I checked the packet capture for that encounter:
          
          220
                example.com ESMTP Postfix
           
          EHLO
                []
           
          250-example.com
           
          250-PIPELINING
           
          250-SIZE
                10240000
           
          250-ETRN
           
          250-STARTTLS
           
          250-ENHANCEDSTATUSCODES
           
          250-8BITMIME
           
          250-DSN
           
          250-SMTPUTF8
           
          250
                CHUNKING
           
          HELP (← after
              2.31s delay which prompted two server TCP retransmissions)
           
          502
                5.5.2 Error: command not recognized
          HELP is not implemented; the antecedent bogus EHLO would
            have triggered a ban had a delivery been attempted (because
            of smtpd_delay_reject = yes). However, there was
            no delivery attempt so the session never arrived at "Helo
            command rejected: need fully-qualified hostname" as the
            client closed the session (without a QUIT) immediately after
            receiving the 502.
          The origin address had previously (repeatedly, for a
            variety of transgressions dating back to August 2019) been
            banned one week earlier and unbanned within the hour prior
            to the 2020-02-11 SMTP session. Just prior to the session it
            did a port 25 TCP connect and then an immediate reset (RST),
            a commonly observed but curious practice. Such SYN, SYN-ACK,
            RST sequences do not produce any log records.
          IMO: anything evoking an unknown SMTP command response is
            ban bait. That would include VRFY which is routinely
            disabled.
          
        
      
       
    
    Variant log entries just noticed:
    Feb 24 13:23:16 mail postfix/smtpd[14291]: connect from unknown[103.115.120.249]
Feb 24 13:23:16 mail postfix/smtpd[14291]: improper command pipelining after EHLO from unknown[103.115.120.249]: help\r\n\r\n
Feb 24 13:23:18 mail postfix/smtpd[14291]: too many errors after UNKNOWN from unknown[103.115.120.249]
Feb 24 13:23:18 mail postfix/smtpd[14291]: disconnect from unknown[103.115.120.249] ehlo=1 unknown=0/1 commands=1/2

    The fail2ban distribution's postfix.conf filter found that one.
    
  

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users