How to prevent the fail2ban logs: lost connection after auth from unknown
Output of the fail2ban log file
Jul 20 14:57:56 mattionline postfix/smtpd[997]: connect from unknown[103.238.231.244] Jul 20 14:57:56 mattionline postfix/smtpd[997]: lost connection after CONNECT from unknown[103.238.231.244] Jul 20 14:57:56 mattionline postfix/smtpd[997]: disconnect from unknown[103.238.231.244] Jul 20 14:57:58 mattionline postfix/smtpd[1000]: lost connection after AUTH from unknown[103.238.231.244] Jul 20 14:57:58 mattionline postfix/smtpd[1000]: disconnect from unknown[103.238.231.244] Jul 20 14:58:10 mattionline postfix/smtpd[997]: connect from unknown[103.238.231.244] Jul 20 14:58:10 mattionline postfix/smtpd[997]: lost connection after CONNECT from unknown[103.238.231.244] Jul 20 14:58:10 mattionline postfix/smtpd[997]: disconnect from unknown[103.238.231.244] Jul 20 14:58:11 mattionline postfix/smtpd[1000]: connect from unknown[103.238.231.244]
I found a lot of connect, lost connection and disconnect messages in my fail2ban logs. The logs were totally full of those postfix/smtpd lines. From day to day. Now the question is how you can block them? Those ip addresses were totally unknown and not from any of my devices.
fail2ban solution
I have created a postfix-auth section in the jail.local file. You have to adjust the log path of the mail.log, if you configured a other path.
nano /etc/fail2ban/jail.local
[postfix-auth] # Ban for 10 minutes if it fails 6 times within 10 minutes enabled = true port = smtp,ssmtp filter = postfix-auth logpath = /var/log/mail.log maxretry = 6 bantime = 600 findtime = 600
After that you create your own postfix-auth filter. This regex searches for those log entries.
nano /etc/fail2ban/filter.d/postfix-auth.conf
[Definition] failregex = lost connection after AUTH from (.*)\[<HOST>\] ignoreregex =
After a restart of fail2ban the filter is starting to work.
It searches the mail.log file for those lines and blocks the ip address with iptables.
Danke, wollte das gleiche gerade selber entwickeln 😉
Dann hat der Blogartikel ja wenigstens einem schonmal geholfen 😀
Danke, hat mir auch geholfen.
Perfekt, vielen Dank!