[SSHGuard-users] posfix - bots

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

Would it be possible to block IP addresses from bots that are only  
trying to connect and stop at the auth.
Usually the pattern is "helo=1 auth=0/1 quit=1 commands=2/3"

postfix log excerpt:

Jan  3 07:08:58 xyz postfix/smtpd[64504]: connect from  
59-124-9-251.HINET-IP.hinet.net[59.124.9.251]
Jan  3 07:08:59 xyz postfix/smtpd[64504]: disconnect from  
59-124-9-251.HINET-IP.hinet.net[59.124.9.251] helo=1 auth=0/1 quit=1  
commands=2/3
Jan  3 07:10:47 xyz postfix/smtpd[64504]: connect from  
148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148]
Jan  3 07:10:47 xyz postfix/smtpd[64504]: disconnect from  
148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1  
auth=0/1 quit=1 commands=2/3
Jan  3 07:12:57 xyz postfix/smtpd[64523]: connect from  
148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148]
Jan  3 07:12:58 xyz postfix/smtpd[64523]: disconnect from  
148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1  
auth=0/1 quit=1 commands=2/3
Jan  3 07:22:03 xyz postfix/smtpd[64595]: connect from  
cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202]
Jan  3 07:22:04 xyz postfix/smtpd[64595]: disconnect from  
cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] helo=1  
auth=0/1 quit=1 commands=2/3
Jan  3 07:33:12 xyz postfix/smtpd[64632]: connect from  
202077050129.static.ctinets.com[202.77.50.129]
Jan  3 07:33:13 xyz postfix/smtpd[64632]: disconnect from  
202077050129.static.ctinets.com[202.77.50.129] helo=1 auth=0/1 quit=1  
commands=2/3
Jan  3 07:42:05 xyz postfix/smtpd[64649]: connect from  
218.221.208.186.yukanet.com.br[186.208.221.218]
Jan  3 07:42:05 xyz postfix/smtpd[64649]: disconnect from  
218.221.208.186.yukanet.com.br[186.208.221.218] helo=1 auth=0/1 quit=1  
commands=2/3
Jan  3 07:46:12 xyz postfix/smtpd[64671]: connect from  
220-130-140-22.HINET-IP.hinet.net[220.130.140.22]
Jan  3 07:46:13 xyz postfix/smtpd[64671]: disconnect from  
220-130-140-22.HINET-IP.hinet.net[220.130.140.22] helo=1 auth=0/1  
quit=1 commands=2/3
Jan  3 07:48:21 xyz postfix/smtpd[64674]: connect from  
210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210]
Jan  3 07:48:21 xyz postfix/smtpd[64674]: disconnect from  
210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] helo=1 auth=0/1  
quit=1 commands=2/3

Regards,
Mario

[SSHGuard-users] posfix - bots

Intelligently block brute-force attacks by aggregating system logs

[SSHGuard-users] posfix - bots