On 26 February 2020, at 02:54, Jaroslaw Rafa <r...@rafa.eu.org> wrote:
My Postfix log is full of repeated connections and disconnections from the
same machine:
Feb 26 11:43:41 rafa postfix/submission/smtpd[13829]: connect from
unknown[92.118.38.42]
Feb 26 11:43:52 rafa postfix/submission/smtpd[13829]: disconnect from
unknown[92.118.38.42]
Feb 26 11:44:04 rafa postfix/submission/smtpd[13829]: warning: hostname
ip-38-42.ZervDNS does not resolve to address 92.118.38.42: Name or service not
known
This repeats over and over (I already blocked this IP on firewall). I wonder
what this attacker(?) is trying to do - the client doesn't attempt AUTH or
anything (it would be logged). It just connects and disconnects. And so on
and on...
welcome to the internet. Can be misconfigured client, spamware somewhere,
scan, whatever. Firewalling those automatically is the only way to limit
those messages.
On 26.02.20 03:04, Doug Hardie wrote:
One of my mail servers showed the same thing. Tcpdump showed they are
sending SYN after SYN, nothing else. You didn't indicate which firewall
you are using, but when I went to block them with pf I found that they
send often enough that pf's state stays active. I had to manually remove
that state entry to stop the logging. That won't stop their sending the
SYNs though. It almost appears to be a really poor attempt at a denial of
service. I did find 2 other sites sending the same thing.
SYN after SYN will not cause this error. For this kind of error the
connection must be made by SYN,SYN+ACK,ACK and then FIN.
If you block data/SYN by any firewll, you won't see those messages.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows. -- Matthew D. Fuller
