fail2ban – lost connection after auth from unknown

How to prevent the fail2ban logs: lost connection after auth from unknown

lost connection after auth from unknown

Output of the fail2ban log file

Jul 20 14:57:56 mattionline postfix/smtpd[997]: connect from unknown[103.238.231.244]
Jul 20 14:57:56 mattionline postfix/smtpd[997]: lost connection after CONNECT from unknown[103.238.231.244]
Jul 20 14:57:56 mattionline postfix/smtpd[997]: disconnect from unknown[103.238.231.244]
Jul 20 14:57:58 mattionline postfix/smtpd[1000]: lost connection after AUTH from unknown[103.238.231.244]
Jul 20 14:57:58 mattionline postfix/smtpd[1000]: disconnect from unknown[103.238.231.244]
Jul 20 14:58:10 mattionline postfix/smtpd[997]: connect from unknown[103.238.231.244]
Jul 20 14:58:10 mattionline postfix/smtpd[997]: lost connection after CONNECT from unknown[103.238.231.244]
Jul 20 14:58:10 mattionline postfix/smtpd[997]: disconnect from unknown[103.238.231.244]
Jul 20 14:58:11 mattionline postfix/smtpd[1000]: connect from unknown[103.238.231.244]

I found a lot of connect, lost connection and disconnect messages in my fail2ban logs. The logs were totally full of those postfix/smtpd lines. From day to day. Now the question is how you can block them? Those ip addresses were totally unknown and not from any of my devices.

fail2ban solution

I have created a postfix-auth section in the jail.local file. You have to adjust the log path of the mail.log, if you configured a other path.

nano /etc/fail2ban/jail.local

[postfix-auth]
# Ban for 10 minutes if it fails 6 times within 10 minutes
enabled = true
port = smtp,ssmtp
filter = postfix-auth
logpath = /var/log/mail.log
maxretry = 6
bantime = 600
findtime = 600

After that you create your own postfix-auth filter. This regex searches for those log entries.

nano /etc/fail2ban/filter.d/postfix-auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

After a restart of fail2ban the filter is starting to work.

It searches the mail.log file for those lines and blocks the ip address with iptables.

2 Kommentare zu „fail2ban – lost connection after auth from unknown“

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Scroll to Top