Menu
▾
▴
Re: [SSHGuard-users] posfix - bots
|
From: <li...@la...> - 2019-01-08 07:05:14
|
Those dynamic IP addresses can be filtered in postfix. I set this up so long ago that I don't recall the details, but this is the relevant line in postfix main.cf: check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre Google digs up: http://postfix.1071664.n5.nabble.com/New-approach-with-fqrdns-pcre-file-td90262.html https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre If the original poster goes this route, I would suggest consulting the postfix mailing list. On Mon, 7 Jan 2019 23:24:54 -0600 Kevin Zheng <kev...@gm...> wrote: > Hi Mario, > > Sure. Could you explain, or point me to some documentation, that > explains what that message means? > > From taking a cursory look, it looks like postfix got HELO/ELHO, did > not authenticate, and the client quit? > > We're also interested in avoiding false positives. Could a legitimate > client also generate that message? > > Regards, > Kevin > > On 1/3/19 2:12 AM, Mario B wrote: > > > > Hi, > > > > Would it be possible to block IP addresses from bots that are only > > trying to connect and stop at the auth. > > Usually the pattern is "helo=1 auth=0/1 quit=1 commands=2/3" > > > > > > postfix log excerpt: > > > > Jan 3 07:08:58 xyz postfix/smtpd[64504]: connect from > > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] > > Jan 3 07:08:59 xyz postfix/smtpd[64504]: disconnect from > > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] helo=1 auth=0/1 > > quit=1 commands=2/3 > > Jan 3 07:10:47 xyz postfix/smtpd[64504]: connect from > > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] > > Jan 3 07:10:47 xyz postfix/smtpd[64504]: disconnect from > > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 > > auth=0/1 quit=1 commands=2/3 > > Jan 3 07:12:57 xyz postfix/smtpd[64523]: connect from > > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] > > Jan 3 07:12:58 xyz postfix/smtpd[64523]: disconnect from > > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 > > auth=0/1 quit=1 commands=2/3 > > Jan 3 07:22:03 xyz postfix/smtpd[64595]: connect from > > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] > > Jan 3 07:22:04 xyz postfix/smtpd[64595]: disconnect from > > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] helo=1 > > auth=0/1 quit=1 commands=2/3 > > Jan 3 07:33:12 xyz postfix/smtpd[64632]: connect from > > 202077050129.static.ctinets.com[202.77.50.129] > > Jan 3 07:33:13 xyz postfix/smtpd[64632]: disconnect from > > 202077050129.static.ctinets.com[202.77.50.129] helo=1 auth=0/1 > > quit=1 commands=2/3 > > Jan 3 07:42:05 xyz postfix/smtpd[64649]: connect from > > 218.221.208.186.yukanet.com.br[186.208.221.218] > > Jan 3 07:42:05 xyz postfix/smtpd[64649]: disconnect from > > 218.221.208.186.yukanet.com.br[186.208.221.218] helo=1 auth=0/1 > > quit=1 commands=2/3 > > Jan 3 07:46:12 xyz postfix/smtpd[64671]: connect from > > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] > > Jan 3 07:46:13 xyz postfix/smtpd[64671]: disconnect from > > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] helo=1 auth=0/1 > > quit=1 commands=2/3 > > Jan 3 07:48:21 xyz postfix/smtpd[64674]: connect from > > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] > > Jan 3 07:48:21 xyz postfix/smtpd[64674]: disconnect from > > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] helo=1 auth=0/1 > > quit=1 commands=2/3 > > > > > > > > > > Regards, > > Mario > > > > > > > > _______________________________________________ > > sshguard-users mailing list > > ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > |
