• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved SSL_accept error from

CoyoteKG

Regular Pleskian
Hello, in my syslog file I have daily hundreds logs from same IP
Code:
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: SSL_accept error from ip164.ip-192-99-119.net[192.99.119.164]: lost connection
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: lost connection after CONNECT from ip164.ip-192-99-119.net[192.99.119.164]
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: disconnect from ip164.ip-192-99-119.net[192.99.119.164]

I check this IP, it is from Canada, and it is unfamiliar to me.
What they trying?
Can I block situation like this with fail2ban?
 
The jail won't block every single attempt, but repeated attempts from the same source. If the IP address shows up only once or twice, the jail won't block it.
 
Hi Peter,

I know about that single case,
but I have thousands logs in my syslog file just for last 12h.
I did not checked it until yesterday

I attached the log file
 

Attachments

  • syslog.txt
    1.8 MB · Views: 2
I see. In this case the problem is, that there is no suitable jail for the "lost connection after CONNECT" entries. Fail2ban default jails focus on authentication, but here no authentication is needed. Please see the filter configurations in /etc/fail2ban/filter.d, specifically postfix-sasl.conf and plesk-qmail.conf. They come close to what you need, but you will need to derive your own filter configuration from that if you want to create a profile that supports the "lost connection after CONNECT" entries. You will also need to edit the other corresponding files in /etc/fail2ban to run this individual additional filter. I don't know if you want to do that.

As an alternative, you can add 192.99.119.164 to iptables manually, like
# iptables -A INPUT -s 192.99.119.164 -j DROP
 
One more thing, I added it to iptables with that command but with no effect, but I added it via Plesk... I created Firewall rule via Plesk.

But in syslog Now I see next things. Because I was overcrowded with previous logs, I did not noticed this.
Can you help me how to read this
Code:
Jan 17 21:20:43 africka-sljiva spamd[909]: spamd: connection from localhost.localdomain [127.0.0.1]:60448 to port 783, fd 5
Jan 17 21:20:43 africka-sljiva spamd[2961]: prefork: child states: II
Jan 17 21:20:43 africka-sljiva dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<RJPbCFBG8AB/AAAB>
Jan 17 21:20:43 africka-sljiva dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<vZ/bCFBGkAB/AAAB>
Jan 17 21:20:43 africka-sljiva dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<3E7cCFBGxgB/AAAB>
Jan 17 21:20:43 africka-sljiva dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<yVrcCFBG1gB/AAAB>

I'm getting this logs every ~5 minutes
 
If it is every five minutes, looks like this is coming from a webmail software. Hard to tell why the login is aborted. It's not right, but maybe a user has installed his own webmailer and not configured it correctly (with an empty account, e.g.)
 
Hello, in my syslog file I have daily hundreds logs from same IP
Code:
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: SSL_accept error from ip164.ip-192-99-119.net[192.99.119.164]: lost connection
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: lost connection after CONNECT from ip164.ip-192-99-119.net[192.99.119.164]
Jan 16 21:18:12 africka-sljiva postfix/smtpd[7950]: disconnect from ip164.ip-192-99-119.net[192.99.119.164]

I check this IP, it is from Canada, and it is unfamiliar to me.
What they trying?
Can I block situation like this with fail2ban?



Even that this thread is quite old, I still want to push it up again, suggesting to use an additional modification for your postfix - jail:

You could have for example:
Code:
failregex = ^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$

... which doesn't cover all the "SSL_accept error from" - spammers. Consider to add as well:
Code:
failregex = ^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
 
Back
Top