Resolved SSL_accept error from

[CoyoteKG]

Hello, in my syslog file I have daily hundreds logs from same IP

Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: SSL_accept error from ip164.ip-192-99-119.net[192.99.119.164]: lost connection
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: lost connection after CONNECT from ip164.ip-192-99-119.net[192.99.119.164]
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: disconnect from ip164.ip-192-99-119.net[192.99.119.164]

I check this IP, it is from Canada, and it is unfamiliar to me.
What they trying?
Can I block situation like this with fail2ban?

 

[IgorG]

Can I block situation like this with fail2ban?

Yes, just enable plesk-postfix jail.

 

[CoyoteKG]

Hi,
It is already enabled

 

[Bitpalast]

The jail won't block every single attempt, but repeated attempts from the same source. If the IP address shows up only once or twice, the jail won't block it.

 

[CoyoteKG]

Hi Peter,

I know about that single case,
but I have thousands logs in my syslog file just for last 12h.
I did not checked it until yesterday

I attached the log file

 

[Bitpalast]

I see. In this case the problem is, that there is no suitable jail for the "lost connection after CONNECT" entries. Fail2ban default jails focus on authentication, but here no authentication is needed. Please see the filter configurations in /etc/fail2ban/filter.d, specifically postfix-sasl.conf and plesk-qmail.conf. They come close to what you need, but you will need to derive your own filter configuration from that if you want to create a profile that supports the "lost connection after CONNECT" entries. You will also need to edit the other corresponding files in /etc/fail2ban to run this individual additional filter. I don't know if you want to do that.

As an alternative, you can add 192.99.119.164 to iptables manually, like
# iptables -A INPUT -s 192.99.119.164 -j DROP

 

[CoyoteKG]

It sounds to complicated, so I will block it with iptables for now.

Thank you Peter,

 

[CoyoteKG]

One more thing, I added it to iptables with that command but with no effect, but I added it via Plesk... I created Firewall rule via Plesk.

But in syslog Now I see next things. Because I was overcrowded with previous logs, I did not noticed this.
Can you help me how to read this

Jan 17 21:20:43 africka-sljiva spamd[909]: spamd: connection from localhost.localdomain [127.0.0.1]:60448 to port 783, fd 5
Jan 17 21:20:43 africka-sljiva spamd[2961]: prefork: child states: II
Jan 17 21:20:43 africka-sljiva dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<RJPbCFBG8AB/AAAB>
Jan 17 21:20:43 africka-sljiva dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<vZ/bCFBGkAB/AAAB>
Jan 17 21:20:43 africka-sljiva dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<3E7cCFBGxgB/AAAB>
Jan 17 21:20:43 africka-sljiva dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<yVrcCFBG1gB/AAAB>

I'm getting this logs every ~5 minutes

 

[Bitpalast]

If it is every five minutes, looks like this is coming from a webmail software. Hard to tell why the login is aborted. It's not right, but maybe a user has installed his own webmailer and not configured it correctly (with an empty account, e.g.)

 

[UFHH01]

Hello, in my syslog file I have daily hundreds logs from same IP

Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: SSL_accept error from ip164.ip-192-99-119.net[192.99.119.164]: lost connection
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: lost connection after CONNECT from ip164.ip-192-99-119.net[192.99.119.164]
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: disconnect from ip164.ip-192-99-119.net[192.99.119.164]

I check this IP, it is from Canada, and it is unfamiliar to me.
What they trying?
Can I block situation like this with fail2ban?

Even that this thread is quite old, I still want to push it up again, suggesting to use an additional modification for your postfix - jail:

You could have for example:

failregex = ^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$

... which doesn't cover all the "SSL_accept error from" - spammers. Consider to add as well:

failregex = ^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$