[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: Re: [Fail2ban-users] extra postfix bans
From: Gary Gapinski via Fail2ban-users <fail2ban-users () lists ! sourceforge ! net>
Date: 2020-03-25 6:26:07
Message-ID: dc62c1b8-685f-7b7a-3445-764fa1ed5cdb () garygapinski ! com
[Download RAW message or body]
[Attachment #2 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I just updated <a
href="https://github.com/GaryGapinski/fail2ban-extras/blob/master/filter.d/postfix-ext \
ra.conf#L22">https://github.com/GaryGapinski/fail2ban-extras/blob/master/filter.d/postfix-extra.conf#L22</a>
to account for that (had it in testing since 2020-02-21 but forgot
to commit the change). And I still have to devise and test a regex
to catch a "<tt>disconnect from … unknown=0/1</tt>"<tt>.</tt></p>
<p>The more common ("<tt>… lost connection after UNKNOWN …") </tt>ones
I've seen use a "HELP" command without the improper pipelining.
This was discussed on the fail2ban-users list last February:</p>
<p>
<blockquote type="cite">
<div class="moz-text-html" lang="x-unicode">
<div class="moz-cite-prefix">On 2/21/20 1:21 PM, Gary Gapinski
via Fail2ban-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ba31b453-807b-3667-0ec2-ecc8e5d1ca3f@garygapinski.com">I
had not previously noticed "lost connection after <u>UNKNOWN</u>…"
but will add that as well as the companion regex for the
disconnect.<br>
<tt>Feb 11 12:17:39 mail postfix/smtpd[23758]: connect from
unknown[240e:f7:4f01:c::3]<br>
Feb 11 12:17:42 mail postfix/smtpd[23758]: lost connection
after UNKNOWN from unknown[240e:f7:4f01:c::3]<br>
Feb 11 12:17:42 mail postfix/smtpd[23758]: disconnect from
unknown[240e:f7:4f01:c::3] ehlo=1 unknown=0/1 commands=1/2<br>
</tt></blockquote>
<p>I checked the packet capture for that encounter:
</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; background-color:#ededfb;">220
example.com ESMTP Postfix</span></tt></p>
<tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#7f0000; background-color:#fbeded;">EHLO
[]</span></tt></p>
<tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; \
background-color:#ededfb;">250-example.com</span></tt></p> <tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; \
background-color:#ededfb;">250-PIPELINING</span></tt></p> <tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; background-color:#ededfb;">250-SIZE
10240000</span></tt></p>
<tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; \
background-color:#ededfb;">250-ETRN</span></tt></p> <tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; \
background-color:#ededfb;">250-STARTTLS</span></tt></p> <tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; \
background-color:#ededfb;">250-ENHANCEDSTATUSCODES</span></tt></p> <tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; \
background-color:#ededfb;">250-8BITMIME</span></tt></p> <tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; \
background-color:#ededfb;">250-DSN</span></tt></p> <tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; \
background-color:#ededfb;">250-SMTPUTF8</span></tt></p> <tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; background-color:#ededfb;">250
CHUNKING</span></tt></p>
<tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#7f0000; background-color:#fbeded;">HELP \
</span></tt><span style=" color:#7f0000; background-color:#fbeded;">(← after
2.31s delay which prompted two server TCP retransmissions)</span></p>
<tt> </tt>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px;
margin-right:0px; -qt-block-indent:0; text-indent:0px;"><tt><span
style=" color:#00007f; background-color:#ededfb;">502
5.5.2 Error: command not recognized</span></tt></p>
<p>HELP is not implemented; the antecedent bogus EHLO would
have triggered a ban had a delivery been attempted (because
of <tt>smtpd_delay_reject = yes</tt>). However, there was
no delivery attempt so the session never arrived at "Helo
command rejected: need fully-qualified hostname" as the
client closed the session (without a QUIT) immediately after
receiving the 502.</p>
<p>The origin address had previously (repeatedly, for a
variety of transgressions dating back to August 2019) been
banned one week earlier and unbanned within the hour prior
to the 2020-02-11 SMTP session. Just prior to the session it
did a port 25 TCP connect and then an immediate reset (RST),
a commonly observed but curious practice. Such SYN, SYN-ACK,
RST sequences do not produce any log records.</p>
<p>IMO: anything evoking an unknown SMTP command response is
ban bait. That would include VRFY which is routinely
disabled.
</p>
</div>
</blockquote>
<tt> </tt>
</p>
<p>Variant log entries just noticed:</p>
<pre>Feb 24 13:23:16 mail postfix/smtpd[14291]: connect from \
unknown[103.115.120.249]
Feb 24 13:23:16 mail postfix/smtpd[14291]: improper command pipelining after EHLO \
from unknown[103.115.120.249]: help\r\n\r\n
Feb 24 13:23:18 mail postfix/smtpd[14291]: too many errors after UNKNOWN from \
unknown[103.115.120.249]
Feb 24 13:23:18 mail postfix/smtpd[14291]: disconnect from unknown[103.115.120.249] \
ehlo=1 unknown=0/1 commands=1/2 </pre>
<p>The fail2ban distribution's postfix.conf filter found that one.</p>
<br>
</body>
</html>
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic