Re: repeated connect and disconnect

[Marko Horn]

hello,

---
Mitten drin statt nur Datei!
Am 2020-10-08 11:54, schrieb Zsombor B:
Just set up fail2ban, it will take care of this.



Idézet (li...@lazygranch.com):

Is there something I should be doing to mitigate this problem?

Oct  8 02:11:42 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:43 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:43 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:43 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:44 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:45 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:45 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:45 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:46 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:46 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:46 myserver postfix/smtpd[11630]: lost connection after  
CONNECT from unknown[180.123.163.212]
Oct  8 02:11:46 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] commands=0/0
Oct  8 02:11:46 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:47 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:47 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:47 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11630]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:48 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:48 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:50 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:53 myserver postfix/smtpd[11630]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:53 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:54 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:54 myserver postfix/smtpd[11632]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:54 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:54 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11630]: lost connection after  
EHLO from unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] ehlo=1 commands=1
Oct  8 02:11:55 myserver postfix/smtpd[11632]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11632]: warning: Connection  
rate limit exceeded: 11 from unknown[180.123.163.212] for service smtp
Oct  8 02:11:55 myserver postfix/smtpd[11632]: disconnect from  
unknown[180.123.163.212] commands=0/0
Oct  8 02:11:55 myserver postfix/smtpd[11630]: connect from  
unknown[180.123.163.212]
Oct  8 02:11:55 myserver postfix/smtpd[11630]: warning: Connection  
rate limit exceeded: 12 from unknown[180.123.163.212] for service smtp
Oct  8 02:11:55 myserver postfix/smtpd[11630]: disconnect from  
unknown[180.123.163.212] commands=0/0
Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max  
connection rate 12/60s for (smtp:180.123.163.212) at Oct  8 02:11:55
Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max  
connection count 2 for (smtp:180.123.163.212) at Oct  8 02:11:43
Oct  8 02:15:15 myserver postfix/anvil[11633]: statistics: max cache  
size 1 at Oct  8 02:11:42

-------------------------------------
postconf mail_version
mail_version = 3.5.7
------------------------------------


smtpd_client_auth_rate_limit = 20
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 3
smtpd_client_recipient_rate_limit = 40
smtpd_client_restrictions = permit_sasl_authenticated,  
permit_mynetworks, reject_unauth_destination,  
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,  
reject_unknown_reverse_client_hostname, check_client_access  
hash:/etc/postfix/spamsources
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = 6
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
smtpd_recipient_limit = 20
smtpd_recipient_restrictions = permit_sasl_authenticated,  
permit_mynetworks, reject_unauth_destination,  
reject_unauth_pipelining, reject_non_fqdn_sender,  
reject_unknown_sender_domain, reject_unknown_recipient_domain,  
reject_non_fqdn_recipient, check_client_access  
hash:/etc/postfix/client_checks, check_sender_access  
hash:/etc/postfix/sender_checks, reject_rbl_client bl.spamcop.net,  
reject_rbl_client b.barracudacentral.org, reject_rbl_client  
cbl.abuseat.org, reject_rbl_client rabl.nuclearelephant.com,  
reject_rbl_client zen.spamhaus.org, check_policy_service  
unix:private/policy
smtpd_relay_restrictions = permit_sasl_authenticated,  
permit_mynetworks, reject_unauth_destination, check_policy_service  
unix:private/policy
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated,  
permit_mynetworks, reject_unauth_destination,  reject_unknown_address, 
check_sender_access  hash:/etc/postfix/spamsources
smtpd_soft_error_limit = 3

on some server i limit this with iptables.
with "shorewall" it is easy to configure.
i limit the connects per second for each unique ip.
this works well. ofcourse you can also do it with iptables standalone if 
you speak iptablish :-)

greets marko




---------
Linux  3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC  
2020 x86_64 x86_64 x86_64 GNU/Linux