• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved SSL_accept error from

kojot

Regular Pleskian
Hello, in my syslog file I have daily hundreds logs from same IP
Code:
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: SSL_accept error from ip164.ip-192-99-119.net[192.99.119.164]: lost connection
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: lost connection after CONNECT from ip164.ip-192-99-119.net[192.99.119.164]
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: disconnect from ip164.ip-192-99-119.net[192.99.119.164]

I check this IP, it is from Canada, and it is unfamiliar to me.
What they trying?
Can I block situation like this with fail2ban?
 
The jail won't block every single attempt, but repeated attempts from the same source. If the IP address shows up only once or twice, the jail won't block it.
 
Hi Peter,

I know about that single case,
but I have thousands logs in my syslog file just for last 12h.
I did not checked it until yesterday

I attached the log file
 

Attachments

  • syslog.txt
    1.8 MB · Views: 3
I see. In this case the problem is, that there is no suitable jail for the "lost connection after CONNECT" entries. Fail2ban default jails focus on authentication, but here no authentication is needed. Please see the filter configurations in /etc/fail2ban/filter.d, specifically postfix-sasl.conf and plesk-qmail.conf. They come close to what you need, but you will need to derive your own filter configuration from that if you want to create a profile that supports the "lost connection after CONNECT" entries. You will also need to edit the other corresponding files in /etc/fail2ban to run this individual additional filter. I don't know if you want to do that.

As an alternative, you can add 192.99.119.164 to iptables manually, like
# iptables -A INPUT -s 192.99.119.164 -j DROP
 
One more thing, I added it to iptables with that command but with no effect, but I added it via Plesk... I created Firewall rule via Plesk.

But in syslog Now I see next things. Because I was overcrowded with previous logs, I did not noticed this.
Can you help me how to read this
Code:
Jan 17 21:20:43 africka-sljiva spamd[909]: spamd: connection from localhost.localdomain [127.0.0.1]:60448 to port 783, fd 5
Jan 17 21:20:43 africka-sljiva spamd[2961]: prefork: child states: II
Jan 17 21:20:43 africka-sljiva dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<RJPbCFBG8AB/AAAB>
Jan 17 21:20:43 africka-sljiva dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<vZ/bCFBGkAB/AAAB>
Jan 17 21:20:43 africka-sljiva dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<3E7cCFBGxgB/AAAB>
Jan 17 21:20:43 africka-sljiva dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<yVrcCFBG1gB/AAAB>

I'm getting this logs every ~5 minutes
 
If it is every five minutes, looks like this is coming from a webmail software. Hard to tell why the login is aborted. It's not right, but maybe a user has installed his own webmailer and not configured it correctly (with an empty account, e.g.)
 
Hello, in my syslog file I have daily hundreds logs from same IP
Code:
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: SSL_accept error from ip164.ip-192-99-119.net[192.99.119.164]: lost connection
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: lost connection after CONNECT from ip164.ip-192-99-119.net[192.99.119.164]
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: disconnect from ip164.ip-192-99-119.net[192.99.119.164]

I check this IP, it is from Canada, and it is unfamiliar to me.
What they trying?
Can I block situation like this with fail2ban?



Even that this thread is quite old, I still want to push it up again, suggesting to use an additional modification for your postfix - jail:

You could have for example:
Code:
failregex = ^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$

... which doesn't cover all the "SSL_accept error from" - spammers. Consider to add as well:
Code:
failregex = ^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
 
Back
Top