Dnia 26.04.2022 o godz. 18:59:35 lists pisze: > I see the snowshoe hackers on my web server and I > assume they are on my email but I don't read the postfix logs as often. I > haven't seen a hacker hammer my server in a long time. It is all snowshoe > these days.
I also have a personal server and I can see both. There is a lot of snowshoe, but there are also IPs that constantly hammer my submission/smtps ports for long time, trying subsequent login/passwords combinations (usually for usernames that never existed on my server :), I only rarely see them trying an actually existing username). What's interesting, I don't see the latter behavior with ssh attempts - this is actually almost 100% snowshoe - but with submissions/smtps, yes, the "hammering" happens all the time. After I see this behavior in the logs, I usually ban those IPs in iptables permanently. Of course there was a lot more of this "hammering" when some time ago I had mistakenly AUTH turned on on port 25, so it looks like the bots that try to crack email passwords are mostly targeting this port. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."