On Thu, 2 Mar 2017 08:34:59 +0100 Patrick Ben Koetter <p...@sys4.de> wrote:
> * Poliman - Serwis <ser...@poliman.pl>: > > Hi everyone. In mail.log file I have many lines like below: > > Mar 2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: SSL_accept > > error from house.census.shodan.io[89.248.172.16]: -1 Mar 2 > > 06:53:30 vps342401 postfix/smtps/smtpd[14642]: warning: TLS library > > problem: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong > > version number:s3_srvr.c:966: > > Postfix refuses to use SSLv3. > > > > Mar 2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: lost > > connection after CONNECT from house.census.shodan.io[89.248.172.16] > > Mar 2 06:53:30 vps342401 postfix/smtps/smtpd[14642]: disconnect > > from house.census.shodan.io[89.248.172.16] Mar 2 06:53:30 > > vps342401 postfix/smtps/smtpd[14637]: lost connection after CONNECT > > from house.census.shodan.io[89.248.172.16] > > house.census.shodan.io tries to connect your Postfix server and then > nothing happens. Unless every other host has this problem too, you > will have to talk to the people who run house.census.shodan.io to > find out why their client doesn't proceed with a SMTP session. > Chances are their hosts problem is, it is unable to use any > other/newer TLS protocol version. > > > > and > > > > Mar 2 07:15:01 vps342401 dovecot: pop3-login: Disconnected (no > > auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, > > secured, session=<BctoWblJjAB/AAAB> Mar 2 07:20:01 vps342401 > > dovecot: imap-login: Disconnected (disconnected before auth was > > ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, > > secured, session=<+TxOa7lJ/AB/AAAB> Mar 2 07:20:01 vps342401 > > dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): > > user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, > > session=<z1FOa7lJmAB/AAAB> Mar 2 07:25:01 vps342401 dovecot: > > imap-login: Disconnected (disconnected before auth was ready, > > waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, > > session=<znkzfblJCAB/AAAB> > > Something - a program ? - on your server connects to your dovecot > service and disconnects. Find out what it is. > > > > From two days log file has 18MB. What is wrong? > > The log size is not necessarily an indicator that something is wrong > on your machine. On busy machines 18 MB growth is a matter of minutes. > > How recurring are the errors in the LOG? Is it always the same error? > Is it always the same host having problems with your server? > > p@rick I block that server from all but port 25. It will password guess until the cows come home. I had no idea it was associated with shodan, but now all the more reason to block it. #novogara ipfw table 1 add 89.248.160.0/21 ipfw table 1 add 89.248.169.0/24 ipfw table 1 add 89.248.170.0/23 ipfw table 1 add 89.248.172.0/23 ipfw table 1 add 89.248.174.0/24 ipfw table 1 add 93.174.88.0/21 ipfw table 1 add 94.102.48.0/20 There is a snowshoe type botnet password guesser hosted at Digital Ocean. Being a customer of them, I complained. I stopped for a few days, but it back again. They password guess in sequence. 138.68.90.75 139.59.158.92 207.154.221.122 Also the "141" block of the University of Michigan. I have contacted them to see if they are doing "research", but I get no reply. ipfw table 3 add 141.211.0.0/16 ipfw table 3 add 141.212.0.0/16 ipfw table 3 add 141.213.0.0/16 ipfw table 3 add 141.214.0.0/16 Mind you, I can block these ports because I'm the only customer of my server. Yes I know fail2ban is the way to go, but my cellphone creates some chatter that would trigger an aggressive fail2ban. > >
