fail2ban – lost connection after auth from unknown

How to prevent the fail2ban logs: lost connection after auth from unknown

lost connection after auth from unknown

Output of the fail2ban log file

Jul 20 14:57:56 mattionline postfix/smtpd[997]: connect from unknown[103.238.231.244]
Jul 20 14:57:56 mattionline postfix/smtpd[997]: lost connection after CONNECT from unknown[103.238.231.244]
Jul 20 14:57:56 mattionline postfix/smtpd[997]: disconnect from unknown[103.238.231.244]
Jul 20 14:57:58 mattionline postfix/smtpd[1000]: lost connection after AUTH from unknown[103.238.231.244]
Jul 20 14:57:58 mattionline postfix/smtpd[1000]: disconnect from unknown[103.238.231.244]
Jul 20 14:58:10 mattionline postfix/smtpd[997]: connect from unknown[103.238.231.244]
Jul 20 14:58:10 mattionline postfix/smtpd[997]: lost connection after CONNECT from unknown[103.238.231.244]
Jul 20 14:58:10 mattionline postfix/smtpd[997]: disconnect from unknown[103.238.231.244]
Jul 20 14:58:11 mattionline postfix/smtpd[1000]: connect from unknown[103.238.231.244]

I found a lot of connect, lost connection and disconnect messages in my fail2ban logs. The logs were totally full of those postfix/smtpd lines. From day to day. Now the question is how you can block them? Those ip addresses were totally unknown and not from any of my devices.

fail2ban solution

I have created a postfix-auth section in the jail.local file. You have to adjust the log path of the mail.log, if you configured a other path.

nano /etc/fail2ban/jail.local

[postfix-auth]
# Ban for 10 minutes if it fails 6 times within 10 minutes
enabled = true
port = smtp,ssmtp
filter = postfix-auth
logpath = /var/log/mail.log
maxretry = 6
bantime = 600
findtime = 600

After that you create your own postfix-auth filter. This regex searches for those log entries.

nano /etc/fail2ban/filter.d/postfix-auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[\]
ignoreregex =

After a restart of fail2ban the filter is starting to work.

It searches the mail.log file for those lines and blocks the ip address with iptables.

Bewerte diesen Artikel

0 Bewertung(en), Durchschnitt: 0 von 5

Dieser Artikel wurde noch nicht bewertet.

Es tut uns leid, dass dir der Beitrag nicht gefallen hat.

Lass uns diesen Artikel überarbeiten.

Erzähle uns, was dir nicht gefallen hat.

2
Hinterlasse einen Kommentar

1 Kommentar Themen
1 Themen Antworten
0 Follower
 
Kommentar, auf das am meisten reagiert wurde
Beliebtestes Kommentar Thema
2 Kommentatoren
  Abonnieren  
neueste älteste meiste Bewertungen
Benachrichtige mich bei
JonDoe

Danke, wollte das gleiche gerade selber entwickeln 😉

Scroll to Top