Menu
▾
▴
sshguard-users
|
From: Mario B <ma...@su...> - 2019-01-03 08:33:00
|
Hi, Would it be possible to block IP addresses from bots that are only trying to connect and stop at the auth. Usually the pattern is "helo=1 auth=0/1 quit=1 commands=2/3" postfix log excerpt: Jan 3 07:08:58 xyz postfix/smtpd[64504]: connect from 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] Jan 3 07:08:59 xyz postfix/smtpd[64504]: disconnect from 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] helo=1 auth=0/1 quit=1 commands=2/3 Jan 3 07:10:47 xyz postfix/smtpd[64504]: connect from 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] Jan 3 07:10:47 xyz postfix/smtpd[64504]: disconnect from 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 auth=0/1 quit=1 commands=2/3 Jan 3 07:12:57 xyz postfix/smtpd[64523]: connect from 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] Jan 3 07:12:58 xyz postfix/smtpd[64523]: disconnect from 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 auth=0/1 quit=1 commands=2/3 Jan 3 07:22:03 xyz postfix/smtpd[64595]: connect from cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] Jan 3 07:22:04 xyz postfix/smtpd[64595]: disconnect from cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] helo=1 auth=0/1 quit=1 commands=2/3 Jan 3 07:33:12 xyz postfix/smtpd[64632]: connect from 202077050129.static.ctinets.com[202.77.50.129] Jan 3 07:33:13 xyz postfix/smtpd[64632]: disconnect from 202077050129.static.ctinets.com[202.77.50.129] helo=1 auth=0/1 quit=1 commands=2/3 Jan 3 07:42:05 xyz postfix/smtpd[64649]: connect from 218.221.208.186.yukanet.com.br[186.208.221.218] Jan 3 07:42:05 xyz postfix/smtpd[64649]: disconnect from 218.221.208.186.yukanet.com.br[186.208.221.218] helo=1 auth=0/1 quit=1 commands=2/3 Jan 3 07:46:12 xyz postfix/smtpd[64671]: connect from 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] Jan 3 07:46:13 xyz postfix/smtpd[64671]: disconnect from 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] helo=1 auth=0/1 quit=1 commands=2/3 Jan 3 07:48:21 xyz postfix/smtpd[64674]: connect from 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] Jan 3 07:48:21 xyz postfix/smtpd[64674]: disconnect from 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] helo=1 auth=0/1 quit=1 commands=2/3 Regards, Mario |
|
From: Kevin Z. <kev...@gm...> - 2019-01-08 05:25:18
|
Hi Mario, Sure. Could you explain, or point me to some documentation, that explains what that message means? From taking a cursory look, it looks like postfix got HELO/ELHO, did not authenticate, and the client quit? We're also interested in avoiding false positives. Could a legitimate client also generate that message? Regards, Kevin On 1/3/19 2:12 AM, Mario B wrote: > > Hi, > > Would it be possible to block IP addresses from bots that are only > trying to connect and stop at the auth. > Usually the pattern is "helo=1 auth=0/1 quit=1 commands=2/3" > > > postfix log excerpt: > > Jan 3 07:08:58 xyz postfix/smtpd[64504]: connect from > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] > Jan 3 07:08:59 xyz postfix/smtpd[64504]: disconnect from > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] helo=1 auth=0/1 quit=1 > commands=2/3 > Jan 3 07:10:47 xyz postfix/smtpd[64504]: connect from > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] > Jan 3 07:10:47 xyz postfix/smtpd[64504]: disconnect from > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 > auth=0/1 quit=1 commands=2/3 > Jan 3 07:12:57 xyz postfix/smtpd[64523]: connect from > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] > Jan 3 07:12:58 xyz postfix/smtpd[64523]: disconnect from > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 > auth=0/1 quit=1 commands=2/3 > Jan 3 07:22:03 xyz postfix/smtpd[64595]: connect from > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] > Jan 3 07:22:04 xyz postfix/smtpd[64595]: disconnect from > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] helo=1 > auth=0/1 quit=1 commands=2/3 > Jan 3 07:33:12 xyz postfix/smtpd[64632]: connect from > 202077050129.static.ctinets.com[202.77.50.129] > Jan 3 07:33:13 xyz postfix/smtpd[64632]: disconnect from > 202077050129.static.ctinets.com[202.77.50.129] helo=1 auth=0/1 quit=1 > commands=2/3 > Jan 3 07:42:05 xyz postfix/smtpd[64649]: connect from > 218.221.208.186.yukanet.com.br[186.208.221.218] > Jan 3 07:42:05 xyz postfix/smtpd[64649]: disconnect from > 218.221.208.186.yukanet.com.br[186.208.221.218] helo=1 auth=0/1 quit=1 > commands=2/3 > Jan 3 07:46:12 xyz postfix/smtpd[64671]: connect from > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] > Jan 3 07:46:13 xyz postfix/smtpd[64671]: disconnect from > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] helo=1 auth=0/1 quit=1 > commands=2/3 > Jan 3 07:48:21 xyz postfix/smtpd[64674]: connect from > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] > Jan 3 07:48:21 xyz postfix/smtpd[64674]: disconnect from > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] helo=1 auth=0/1 quit=1 > commands=2/3 > > > > > Regards, > Mario > > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2019-01-08 07:05:14
|
Those dynamic IP addresses can be filtered in postfix. I set this up so long ago that I don't recall the details, but this is the relevant line in postfix main.cf: check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre Google digs up: http://postfix.1071664.n5.nabble.com/New-approach-with-fqrdns-pcre-file-td90262.html https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre If the original poster goes this route, I would suggest consulting the postfix mailing list. On Mon, 7 Jan 2019 23:24:54 -0600 Kevin Zheng <kev...@gm...> wrote: > Hi Mario, > > Sure. Could you explain, or point me to some documentation, that > explains what that message means? > > From taking a cursory look, it looks like postfix got HELO/ELHO, did > not authenticate, and the client quit? > > We're also interested in avoiding false positives. Could a legitimate > client also generate that message? > > Regards, > Kevin > > On 1/3/19 2:12 AM, Mario B wrote: > > > > Hi, > > > > Would it be possible to block IP addresses from bots that are only > > trying to connect and stop at the auth. > > Usually the pattern is "helo=1 auth=0/1 quit=1 commands=2/3" > > > > > > postfix log excerpt: > > > > Jan 3 07:08:58 xyz postfix/smtpd[64504]: connect from > > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] > > Jan 3 07:08:59 xyz postfix/smtpd[64504]: disconnect from > > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] helo=1 auth=0/1 > > quit=1 commands=2/3 > > Jan 3 07:10:47 xyz postfix/smtpd[64504]: connect from > > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] > > Jan 3 07:10:47 xyz postfix/smtpd[64504]: disconnect from > > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 > > auth=0/1 quit=1 commands=2/3 > > Jan 3 07:12:57 xyz postfix/smtpd[64523]: connect from > > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] > > Jan 3 07:12:58 xyz postfix/smtpd[64523]: disconnect from > > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 > > auth=0/1 quit=1 commands=2/3 > > Jan 3 07:22:03 xyz postfix/smtpd[64595]: connect from > > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] > > Jan 3 07:22:04 xyz postfix/smtpd[64595]: disconnect from > > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] helo=1 > > auth=0/1 quit=1 commands=2/3 > > Jan 3 07:33:12 xyz postfix/smtpd[64632]: connect from > > 202077050129.static.ctinets.com[202.77.50.129] > > Jan 3 07:33:13 xyz postfix/smtpd[64632]: disconnect from > > 202077050129.static.ctinets.com[202.77.50.129] helo=1 auth=0/1 > > quit=1 commands=2/3 > > Jan 3 07:42:05 xyz postfix/smtpd[64649]: connect from > > 218.221.208.186.yukanet.com.br[186.208.221.218] > > Jan 3 07:42:05 xyz postfix/smtpd[64649]: disconnect from > > 218.221.208.186.yukanet.com.br[186.208.221.218] helo=1 auth=0/1 > > quit=1 commands=2/3 > > Jan 3 07:46:12 xyz postfix/smtpd[64671]: connect from > > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] > > Jan 3 07:46:13 xyz postfix/smtpd[64671]: disconnect from > > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] helo=1 auth=0/1 > > quit=1 commands=2/3 > > Jan 3 07:48:21 xyz postfix/smtpd[64674]: connect from > > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] > > Jan 3 07:48:21 xyz postfix/smtpd[64674]: disconnect from > > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] helo=1 auth=0/1 > > quit=1 commands=2/3 > > > > > > > > > > Regards, > > Mario > > > > > > > > _______________________________________________ > > sshguard-users mailing list > > ssh...@li... > > https://lists.sourceforge.net/lists/listinfo/sshguard-users > > |
|
From: Mario B <ma...@su...> - 2019-01-08 21:06:10
|
Hi, I agree that dynamic IP's can be filtered in postfix. But in that case we could also deny legit email from servers, which are not properly configured. I was able to recreate this type of connection, which spam bots do. They connect to server and send commands: * helo * auth * quit If the auth is not enabled, than they quit the session since they have nothing more to do. Can this happen to legit session? To tell you the truth, I don't know. Maybe someone from postfix mailing list would know. Regards, Mario Quoting li...@la...: > Those dynamic IP addresses can be filtered in postfix. I set this up so > long ago that I don't recall the details, but this is the relevant line > in postfix main.cf: > check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre > > Google digs up: > http://postfix.1071664.n5.nabble.com/New-approach-with-fqrdns-pcre-file-td90262.html > https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre > > If the original poster goes this route, I would suggest consulting the > postfix mailing list. > > > > > On Mon, 7 Jan 2019 23:24:54 -0600 > Kevin Zheng <kev...@gm...> wrote: > >> Hi Mario, >> >> Sure. Could you explain, or point me to some documentation, that >> explains what that message means? >> >> From taking a cursory look, it looks like postfix got HELO/ELHO, did >> not authenticate, and the client quit? >> >> We're also interested in avoiding false positives. Could a legitimate >> client also generate that message? >> >> Regards, >> Kevin >> >> On 1/3/19 2:12 AM, Mario B wrote: >> > >> > Hi, >> > >> > Would it be possible to block IP addresses from bots that are only >> > trying to connect and stop at the auth. >> > Usually the pattern is "helo=1 auth=0/1 quit=1 commands=2/3" >> > >> > >> > postfix log excerpt: >> > >> > Jan 3 07:08:58 xyz postfix/smtpd[64504]: connect from >> > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] >> > Jan 3 07:08:59 xyz postfix/smtpd[64504]: disconnect from >> > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:10:47 xyz postfix/smtpd[64504]: connect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] >> > Jan 3 07:10:47 xyz postfix/smtpd[64504]: disconnect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 >> > auth=0/1 quit=1 commands=2/3 >> > Jan 3 07:12:57 xyz postfix/smtpd[64523]: connect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] >> > Jan 3 07:12:58 xyz postfix/smtpd[64523]: disconnect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 >> > auth=0/1 quit=1 commands=2/3 >> > Jan 3 07:22:03 xyz postfix/smtpd[64595]: connect from >> > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] >> > Jan 3 07:22:04 xyz postfix/smtpd[64595]: disconnect from >> > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] helo=1 >> > auth=0/1 quit=1 commands=2/3 >> > Jan 3 07:33:12 xyz postfix/smtpd[64632]: connect from >> > 202077050129.static.ctinets.com[202.77.50.129] >> > Jan 3 07:33:13 xyz postfix/smtpd[64632]: disconnect from >> > 202077050129.static.ctinets.com[202.77.50.129] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:42:05 xyz postfix/smtpd[64649]: connect from >> > 218.221.208.186.yukanet.com.br[186.208.221.218] >> > Jan 3 07:42:05 xyz postfix/smtpd[64649]: disconnect from >> > 218.221.208.186.yukanet.com.br[186.208.221.218] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:46:12 xyz postfix/smtpd[64671]: connect from >> > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] >> > Jan 3 07:46:13 xyz postfix/smtpd[64671]: disconnect from >> > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:48:21 xyz postfix/smtpd[64674]: connect from >> > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] >> > Jan 3 07:48:21 xyz postfix/smtpd[64674]: disconnect from >> > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > >> > >> > >> > >> > Regards, >> > Mario >> > >> > >> > >> > _______________________________________________ >> > sshguard-users mailing list >> > ssh...@li... >> > https://lists.sourceforge.net/lists/listinfo/sshguard-users >> >> |
|
From: Gary <li...@la...> - 2019-01-08 21:51:58
|
I have been using this blocker for about two years on the lowest level. I never blocked any legit email. I block way more spammers with this technique than I with RBLs. Even someone with a home server would have a static IP, if only to pass SPF. You really need SPF and DKIM to get most email servers to take your mail. Further some like ATT will block your email if your IP is not from a major provider. They will whitelist a static IP upon request. They would never take a dynamic IP. So even if you don't block them, a server with dynamic IP will often get rejected. Again take this up with the gurus on the postfix mailing list. The postfix author is on the list as well as the Ubuntu maintainer. These people are experts. I am extremely averse to blocking legitimate email. I only run a few RBLs that I have verified are not giving me false positives. I don't even run SpamAssassin. I set my encryption at "may" though it pains me to do so. If I believed I was blocking legitimate email with this dynamic blocker, I wouldn't use it. Original Message From: ma...@su... Sent: January 8, 2019 1:06 PM To: li...@la... Cc: kev...@gm...; ssh...@li... Subject: Re: [SSHGuard-users] posfix - bots Hi, I agree that dynamic IP's can be filtered in postfix. But in that case we could also deny legit email from servers, which are not properly configured. I was able to recreate this type of connection, which spam bots do. They connect to server and send commands: * helo * auth * quit If the auth is not enabled, than they quit the session since they have nothing more to do. Can this happen to legit session? To tell you the truth, I don't know. Maybe someone from postfix mailing list would know. Regards, Mario Quoting li...@la...: > Those dynamic IP addresses can be filtered in postfix. I set this up so > long ago that I don't recall the details, but this is the relevant line > in postfix main.cf: > check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre > > Google digs up: > http://postfix.1071664.n5.nabble.com/New-approach-with-fqrdns-pcre-file-td90262.html > https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre > > If the original poster goes this route, I would suggest consulting the > postfix mailing list. > > > > > On Mon, 7 Jan 2019 23:24:54 -0600 > Kevin Zheng <kev...@gm...> wrote: > >> Hi Mario, >> >> Sure. Could you explain, or point me to some documentation, that >> explains what that message means? >> >> From taking a cursory look, it looks like postfix got HELO/ELHO, did >> not authenticate, and the client quit? >> >> We're also interested in avoiding false positives. Could a legitimate >> client also generate that message? >> >> Regards, >> Kevin >> >> On 1/3/19 2:12 AM, Mario B wrote: >> > >> > Hi, >> > >> > Would it be possible to block IP addresses from bots that are only >> > trying to connect and stop at the auth. >> > Usually the pattern is "helo=1 auth=0/1 quit=1 commands=2/3" >> > >> > >> > postfix log excerpt: >> > >> > Jan 3 07:08:58 xyz postfix/smtpd[64504]: connect from >> > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] >> > Jan 3 07:08:59 xyz postfix/smtpd[64504]: disconnect from >> > 59-124-9-251.HINET-IP.hinet.net[59.124.9.251] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:10:47 xyz postfix/smtpd[64504]: connect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] >> > Jan 3 07:10:47 xyz postfix/smtpd[64504]: disconnect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 >> > auth=0/1 quit=1 commands=2/3 >> > Jan 3 07:12:57 xyz postfix/smtpd[64523]: connect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] >> > Jan 3 07:12:58 xyz postfix/smtpd[64523]: disconnect from >> > 148.red-79-158-248.dynamicip.rima-tde.net[79.158.248.148] helo=1 >> > auth=0/1 quit=1 commands=2/3 >> > Jan 3 07:22:03 xyz postfix/smtpd[64595]: connect from >> > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] >> > Jan 3 07:22:04 xyz postfix/smtpd[64595]: disconnect from >> > cmr-208-124-188-202.cr.net.cable.rogers.com[208.124.188.202] helo=1 >> > auth=0/1 quit=1 commands=2/3 >> > Jan 3 07:33:12 xyz postfix/smtpd[64632]: connect from >> > 202077050129.static.ctinets.com[202.77.50.129] >> > Jan 3 07:33:13 xyz postfix/smtpd[64632]: disconnect from >> > 202077050129.static.ctinets.com[202.77.50.129] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:42:05 xyz postfix/smtpd[64649]: connect from >> > 218.221.208.186.yukanet.com.br[186.208.221.218] >> > Jan 3 07:42:05 xyz postfix/smtpd[64649]: disconnect from >> > 218.221.208.186.yukanet.com.br[186.208.221.218] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:46:12 xyz postfix/smtpd[64671]: connect from >> > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] >> > Jan 3 07:46:13 xyz postfix/smtpd[64671]: disconnect from >> > 220-130-140-22.HINET-IP.hinet.net[220.130.140.22] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > Jan 3 07:48:21 xyz postfix/smtpd[64674]: connect from >> > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] >> > Jan 3 07:48:21 xyz postfix/smtpd[64674]: disconnect from >> > 210.67.144.52.cust.ip.kpnqwest.it[52.144.67.210] helo=1 auth=0/1 >> > quit=1 commands=2/3 >> > >> > >> > >> > >> > Regards, >> > Mario >> > >> > >> > >> > _______________________________________________ >> > sshguard-users mailing list >> > ssh...@li... >> > https://lists.sourceforge.net/lists/listinfo/sshguard-users >> >> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X