Menu
▾
▴
Re: [SSHGuard-users] posfix - bots
|
From: Kevin Z. <kev...@gm...> - 2019-01-08 05:25:18
|
Hi Mario, Sure. Could you explain, or point me to some documentation, that explains what that message means? From taking a cursory look, it looks like postfix got HELO/ELHO, did not authenticate, and the client quit? We're also interested in avoiding false positives. Could a legitimate client also generate that message? Regards, Kevin On 1/3/19 2:12 AM, Mario B wrote: > > Hi, > > Would it be possible to block IP addresses from bots that are only > trying to connect and stop at the auth. > Usually the pattern is "helo=1 auth=0/1 quit=1 commands=2/3" > > > postfix log excerpt: > > Jan 3 07:08:58 xyz postfix/smtpd[64504]: connect from > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] > Jan 3 07:08:59 xyz postfix/smtpd[64504]: disconnect from > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] helo=1 auth=0/1 quit=1 > commands=2/3 > Jan 3 07:10:47 xyz postfix/smtpd[64504]: connect from > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] > Jan 3 07:10:47 xyz postfix/smtpd[64504]: disconnect from > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 > auth=0/1 quit=1 commands=2/3 > Jan 3 07:12:57 xyz postfix/smtpd[64523]: connect from > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] > Jan 3 07:12:58 xyz postfix/smtpd[64523]: disconnect from > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 > auth=0/1 quit=1 commands=2/3 > Jan 3 07:22:03 xyz postfix/smtpd[64595]: connect from > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] > Jan 3 07:22:04 xyz postfix/smtpd[64595]: disconnect from > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] helo=1 > auth=0/1 quit=1 commands=2/3 > Jan 3 07:33:12 xyz postfix/smtpd[64632]: connect from > 202077050129.static.ctinets.com[202.77.50.129] > Jan 3 07:33:13 xyz postfix/smtpd[64632]: disconnect from > 202077050129.static.ctinets.com[202.77.50.129] helo=1 auth=0/1 quit=1 > commands=2/3 > Jan 3 07:42:05 xyz postfix/smtpd[64649]: connect from > 218.221.208.186.yukanet.com.br[186.208.221.218] > Jan 3 07:42:05 xyz postfix/smtpd[64649]: disconnect from > 218.221.208.186.yukanet.com.br[186.208.221.218] helo=1 auth=0/1 quit=1 > commands=2/3 > Jan 3 07:46:12 xyz postfix/smtpd[64671]: connect from > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] > Jan 3 07:46:13 xyz postfix/smtpd[64671]: disconnect from > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] helo=1 auth=0/1 quit=1 > commands=2/3 > Jan 3 07:48:21 xyz postfix/smtpd[64674]: connect from > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] > Jan 3 07:48:21 xyz postfix/smtpd[64674]: disconnect from > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] helo=1 auth=0/1 quit=1 > commands=2/3 > > > > > Regards, > Mario > > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
