Server postifx attacked

  • Hi friends,


    I have a small problem with my server.
    Do not know how to stop a large number of connections makes postfix .
    My problem is not the connection
    It is fail2ban
    In my small vps to be always working consumes much of the cpu making
    the server slow for the few sites that has , its continuous miles per
    hour and you do not know how to stop or ban this type of attack


    Any help or advice will be very welcome


    thanks


    -----------------------------


    April 4 20:01:00 server postfix / smtpd [ 3914 ] : lost connection after UNKNOWN from unknown [ 77.225.163.26 ]
    April 4 20:01:00 server postfix / smtpd [ 3914 ] : disconnect from unknown [ 77.225.163.26 ]
    April 4 20:01:01 server postfix / smtpd [ 3913 ]: connect from unknown [ 115186224198 ]
    April 4 20:01:01 server postfix / smtpd [ 3933 ] : connect from 196-210-131- 215.dynamic.isadsl.co.za [ 196210131215 ]
    April 4 20:01:01 server postfix / smtpd [ 3944 ] : lost connection after UNKNOWN from unknown [ 105.157.147.93 ]
    April 4 20:01:01 server postfix / smtpd [ 3944 ] : disconnect from unknown [ 105.157.147.93 ]
    April 4 20:01:01 server postfix / smtpd [ 3949 ] : lost connection
    after UNKNOWN from LSt -Amand -152-32-6- 216.w80 - 13.abo.wanadoo.fr [
    80.13.245.216 ]
    April 4 20:01:01 server postfix / smtpd [ 3949 ] : disconnect from LSt
    -Amand -152-32-6- 216.w80 - 13.abo.wanadoo.fr [ 80.13.245.216 ]
    April 4 20:01:02 server postfix / smtpd [ 3886 ] : lost connection
    after UNKNOWN from p578a6a41.dip0.t - ipconnect.de [ 87.138.106.65 ]
    April 4 20:01:02 server postfix / smtpd [ 3886 ] : disconnect from p578a6a41.dip0.t - ipconnect.de [ 87.138.106.65 ]
    April 4 20:01:02 server postfix / smtpd [ 3927 ] : warning : hostname does not resolve to static.vdc.vn address 123.25.36.88
    April 4 20:01:02 server postfix / smtpd [ 3927 ]: connect from unknown [ 123.25.36.88 ]
    April 4 20:01:02 server postfix / smtpd [ 3945 ] : connect from 24-119-181- 218.cpe.cableone.net [ 24,119,181,218 ]
    April 4 20:01:02 server postfix / smtpd [ 3932 ] : warning:
    137.109.201.49 - static- hostname does not resolve to tataidc.co.in
    49201109137 address : Name or service not known
    April 4 20:01:02 server postfix / smtpd [ 3932 ]: connect from unknown [ 49,201,109,137 ]
    April 4 20:01:02 server postfix / smtpd [ 3942 ] : lost connection after UNKNOWN from unknown [ 39.41.15.60 ]
    April 4 20:01:02 server postfix / smtpd [ 3942 ] : disconnect from unknown [ 39.41.15.60 ]
    April 4 20:01:02 server postfix / smtpd [ 3866 ] : lost connection after UNKNOWN from unknown [ 115.241.23.37 ]
    April 4 20:01:02 server postfix / smtpd [ 3866 ] : disconnect from unknown [ 115.241.23.37 ]
    April 4 20:01:03 server postfix / smtpd [ 3916 ] : lost connection after UNKNOWN from crv35.ncocc.net [ 208.108.115.35 ]
    April 4 20:01:03 server postfix / smtpd [ 3916 ] : disconnect from crv35.ncocc.net [ 208.108.115.35 ]
    April 4 20:01:03 server postfix / smtpd [ 3879 ] : warning : hostname
    does not resolve 85.96.198.64.static.ttnet.com.tr to address
    85.96.198.64 : Name or service not known
    April 4 20:01:03 server postfix / smtpd [ 3879 ]: connect from unknown [ 85.96.198.64 ]
    April 4 20:01:03 server postfix / smtpd [ 3940 ] : lost connection after UNKNOWN from unknown [ 41.224.8.118 ]
    April 4 20:01:03 server postfix / smtpd [ 3940 ] : disconnect from unknown [ 41.224.8.118 ]
    April 4 20:01:03 server postfix / smtpd [ 3930 ]: connect from unknown [ 125167207184 ]
    April 4 20:01:03 server postfix / smtpd [ 3939 ] : connect from mrd1174875.lnk.telstra.net [ 120.150.58.157 ]
    April 4 20:01:03 server postfix / smtpd [ 3907 ]: connect from unknown [ 203.92.95.188 ]
    April 4 20:01:03 server postfix / smtpd [ 3928 ] : warning : hostname
    static -26-163-225- 77.ipcom.comunitel.net does not resolve to address
    77.225.163.26 : Name or service not known
    April 4 20:01:03 server postfix / smtpd [ 3928 ]: connect from unknown [ 77.225.163.26 ]
    April 4 20:01:03 server postfix / smtpd [ 3918 ] : lost connection after UNKNOWN from nkugateway.nku.edu [ 192.122.237.11 ]
    April 4 20:01:03 server postfix / smtpd [ 3918 ] : disconnect from nkugateway.nku.edu [ 192.122.237.11 ]
    April 4 20:01:04 server postfix / smtpd [ 3881 ] : lost connection after UNKNOWN from unknown [ 183.16.34.167 ]
    April 4 20:01:04 server postfix / smtpd [ 3881 ] : disconnect from unknown [ 183.16.34.167 ]
    April 4 20:01:04 server postfix / smtpd [ 3943 ] : connect from 89-145-218- 142.xdsl.murphx.net [ 89,145,218,142 ]
    April 4 20:01:04 server postfix / smtpd [ 3951 ] : lost connection
    after UNKNOWN from 80-121-40- 196.adsl.highway.telekom.at [
    80.121.40.196 ]
    April 4 20:01:04 server postfix / smtpd [ 3951 ] : disconnect from 80-121-40- 196.adsl.highway.telekom.at [ 80.121.40.196 ]
    April 4 20:01:04 server postfix / smtpd [ 3917 ] : connect from host -72-175-241- 205.static.bresnan.net [ 72,175,241,205 ]
    April 4 20:01:04 server postfix / smtpd [ 3948 ] : lost connection after UNKNOWN from unknown [ 187.189.15.65 ]
    April 4 20:01:04 server postfix / smtpd [ 3948 ] : disconnect from unknown [ 187.189.15.65 ]
    April 4 20:01:04 server postfix / smtpd [ 3938 ] : lost connection
    after UNKNOWN from host91 -134 -79 - dynamic.0 -
    r.retail.telecomitalia.it [ 79.0.134.91 ]
    April 4 20:01:04 server postfix / smtpd [ 3938 ] : disconnect from
    host91 -134 -79 - dynamic.0 - r.retail.telecomitalia.it [ 79.0.134.91 ]
    April 4 20:01:04 server postfix / smtpd [ 3880 ] : lost connection after UNKNOWN from unknown [ 190.69.116.109 ]
    April 4 20:01:04 server postfix / smtpd [ 3880 ] : disconnect from unknown [ 190.69.116.109 ]
    April 4 20:01:04 server postfix / smtpd [ 3884 ] : lost connection
    after UNKNOWN from 156.152.6.109.rev.sfr.net [ 109.6.152.156 ]
    April 4 20:01:04 server postfix / smtpd [ 3884 ] : disconnect from 156.152.6.109.rev.sfr.net [ 109.6.152.156 ]
    April 4 20:01:05 server postfix / smtpd [ 3931 ] : lost connection after UNKNOWN from unknown [ 182.68.98.142 ]
    April 4 20:01:05 server postfix / smtpd [ 3931 ] : disconnect from unknown [ 182.68.98.142 ]
    April 4 20:01:05 server postfix / smtpd [ 3912 ] : lost connection after UNKNOWN from unknown [ 64,141,124,235 ]
    April 4 20:01:05 server postfix / smtpd [ 3912 ] : disconnect from unknown [ 64,141,124,235 ]
    April 4 20:01:05 server postfix / smtpd [ 3882 ] : connect from rrcs -71-42-13- 12.se.biz.rr.com [ 71.42.13.12 ]
    April 4 20:01:05 server postfix / smtpd [ 3941 ] : lost connection
    after UNKNOWN from LMontsouris -656-01-190- 120.w217 -
    128.abo.wanadoo.fr [ 217128219120 ]
    April 4 20:01:05 server postfix / smtpd [ 3941 ] : disconnect from
    LMontsouris -656-01-190- 120.w217 - 128.abo.wanadoo.fr [ 217128219120 ]
    April 4 20:01:05 server postfix / smtpd [ 3950 ] : disconnect from unknown [ 37.32.96.50 ]
    April 4 20:01:05 server postfix / smtpd [ 3883 ] : lost connection
    after UNKNOWN from LMontsouris -156-26-20- 7.w80 - 14.abo.wanadoo.fr [
    80.14.179.7 ]
    April 4 20:01:05 server postfix / smtpd [ 3883 ] : disconnect from
    LMontsouris -156-26-20- 7.w80 - 14.abo.wanadoo.fr [ 80.14.179.7 ]
    April 4 20:01:05 server postfix / smtpd [ 3936 ] : warning : hostname
    host -70-45-187- 218.onelinkpr.net does not resolve to address
    70.45.187.218 : Name or service not known
    April 4 20:01:05 server postfix / smtpd [ 3936 ]: connect from unknown [ 70.45.187.218 ]
    April 4 20:01:06 server postfix / smtpd [ 3911 ] : lost connection
    after UNKNOWN from host210 -144 -79 - dynamic.18 -
    r.retail.telecomitalia.it [ 79.18.144.210 ]
    April 4 20:01:06 server postfix / smtpd [ 3911 ] : disconnect from
    host210 -144 -79 - dynamic.18 - r.retail.telecomitalia.it [
    79.18.144.210 ]
    April 4 20:01:06 server postfix / smtpd [3926 ] : lost connection after UNKNOWN from unknown [ 46.2.49.32 ]
    April 4 20:01:06 server postfix / smtpd [3926 ] : disconnect from unknown [ 46.2.49.32 ]
    April 4 20:01:06 server postfix / smtpd [ 3885 ]: connect from unknown [ 181.67.124.18 ]
    April
    4 20:01:06 server postfix / smtpd [ 3914 ] : connect from host87 -87
    -79 - dynamic.53 - r.retail.telecomitalia.it [ 79.53.87.87 ]

  • In the end, fail2ban doesn't help for such a distributed brute force attack. But in the end this is by far not a massive attack - just 2-3 requests per second. Your server should withstand that without problems.

  • My server suffers, it will not break down, if I have fail2ban active if I use a load of 10 -15% cpu.


    Now is not alarming but I wonder if any way you could stop an attack like this but now postfix is small, I can find with a bigger one and not have a means to end


    Apr 4 23:25:32 server postfix/smtpd[10764]: lost connection after UNKNOWN from bzq-84-109-240-128.red.bezeqint.net[84.109.240.128]
    Apr 4 23:25:32 server postfix/smtpd[10764]: disconnect from bzq-84-109-240-128.red.bezeqint.net[84.109.240.128]
    Apr 4 23:25:32 server postfix/smtpd[10515]: connect from unknown[190.66.172.195]
    Apr 4 23:25:32 server postfix/smtpd[10765]: connect from unknown[81.80.9.150]
    Apr 4 23:25:32 server postfix/smtpd[10488]: lost connection after UNKNOWN from unknown[78.187.206.49]
    Apr 4 23:25:32 server postfix/smtpd[10488]: disconnect from unknown[78.187.206.49]
    Apr 4 23:25:33 server postfix/smtpd[10633]: lost connection after UNKNOWN from xanthi.lnk.telstra.net[120.150.112.149]
    Apr 4 23:25:33 server postfix/smtpd[10633]: disconnect from xanthi.lnk.telstra.net[120.150.112.149]
    Apr 4 23:25:33 server postfix/smtpd[10473]: lost connection after UNKNOWN from unknown[113.186.29.244]
    Apr 4 23:25:33 server postfix/smtpd[10473]: disconnect from unknown[113.186.29.244]
    Apr 4 23:25:34 server postfix/smtpd[10489]: connect from 058177202202.ctinets.com[58.177.202.202]
    Apr 4 23:25:35 server postfix/smtpd[10764]: connect from unknown[41.103.160.22]
    Apr 4 23:25:35 server postfix/smtpd[10513]: lost connection after UNKNOWN from unknown[78.186.179.216]
    Apr 4 23:25:35 server postfix/smtpd[10513]: disconnect from unknown[78.186.179.216]
    Apr 4 23:25:35 server postfix/smtpd[10488]: connect from unknown[89.1.3.117]
    Apr 4 23:25:35 server postfix/smtpd[10492]: lost connection after UNKNOWN from unknown[190.42.221.203]
    Apr 4 23:25:35 server postfix/smtpd[10492]: disconnect from unknown[190.42.221.203]
    Apr 4 23:25:35 server postfix/smtpd[10516]: lost connection after UNKNOWN from 206.Red-2-138-111.dynamicIP.rima-tde.net[2.138.111.206]
    Apr 4 23:25:35 server postfix/smtpd[10516]: disconnect from 206.Red-2-138-111.dynamicIP.rima-tde.net[2.138.111.206]
    Apr 4 23:25:35 server postfix/smtpd[10632]: lost connection after UNKNOWN from unknown[49.158.170.145]
    Apr 4 23:25:35 server postfix/smtpd[10632]: disconnect from unknown[49.158.170.145]
    Apr 4 23:25:35 server postfix/smtpd[10633]: connect from unknown[186.119.65.246]
    Apr 4 23:25:35 server postfix/smtpd[10514]: lost connection after UNKNOWN from lk.92.63.20.177.dc.cable.static.lj-kabel.net[92.63.20.177]
    Apr 4 23:25:35 server postfix/smtpd[10514]: disconnect from lk.92.63.20.177.dc.cable.static.lj-kabel.net[92.63.20.177]
    Apr 4 23:25:35 server postfix/smtpd[10473]: warning: hostname customer-TOR-27-5.megared.net.mx does not resolve to address 177.225.27.5: Name or service not known
    Apr 4 23:25:35 server postfix/smtpd[10473]: connect from unknown[177.225.27.5]
    Apr 4 23:25:36 server postfix/smtpd[10611]: lost connection after UNKNOWN from c-24-23-141-86.hsd1.ca.comcast.net[24.23.141.86]
    Apr 4 23:25:36 server postfix/smtpd[10611]: disconnect from c-24-23-141-86.hsd1.ca.comcast.net[24.23.141.86]
    Apr 4 23:25:36 server postfix/smtpd[11635]: lost connection after UNKNOWN from unknown[64.89.201.194]
    Apr 4 23:25:36 server postfix/smtpd[11635]: disconnect from unknown[64.89.201.194]
    Apr 4 23:25:37 server postfix/smtpd[10513]: connect from 77.109.83.48.wls.msr03cen.adsl.static.edpnet.net[77.109.83.48]
    Apr 4 23:25:37 server postfix/smtpd[10462]: lost connection after UNKNOWN from unknown[190.232.251.161]
    Apr 4 23:25:37 server postfix/smtpd[10462]: disconnect from unknown[190.232.251.161]
    Apr 4 23:25:37 server postfix/smtpd[10765]: lost connection after UNKNOWN from unknown[81.80.9.150]
    Apr 4 23:25:37 server postfix/smtpd[10765]: disconnect from unknown[81.80.9.150]
    Apr 4 23:25:38 server postfix/smtpd[10492]: connect from unknown[87.115.139.239]
    Apr 4 23:25:39 server postfix/smtpd[10516]: warning: hostname localhost does not resolve to address 123.16.166.170
    Apr 4 23:25:39 server postfix/smtpd[10516]: connect from unknown[123.16.166.170]
    Apr 4 23:25:39 server postfix/smtpd[10632]: connect from 178.128.136.73.dsl.dyn.forthnet.gr[178.128.136.73]
    Apr 4 23:25:39 server postfix/smtpd[11636]: lost connection after UNKNOWN from unknown[190.66.117.83]
    Apr 4 23:25:39 server postfix/smtpd[11636]: disconnect from unknown[190.66.117.83]
    Apr 4 23:25:39 server postfix/smtpd[10765]: connect from unknown[181.66.156.95]
    Apr 4 23:25:40 server postfix/smtpd[10462]: warning: hostname 78.181.43.246.dynamic.ttnet.com.tr does not resolve to address 78.181.43.246: Name or service not known
    Apr 4 23:25:40 server postfix/smtpd[10462]: connect from unknown[78.181.43.246]
    Apr 4 23:25:40 server postfix/smtpd[10611]: connect from rrcs-24-136-106-242.nyc.biz.rr.com[24.136.106.242]
    Apr 4 23:25:41 server postfix/smtpd[10488]: lost connection after UNKNOWN from unknown[89.1.3.117]
    Apr 4 23:25:41 server postfix/smtpd[10488]: disconnect from unknown[89.1.3.117]
    Apr 4 23:25:41 server postfix/smtpd[10633]: lost connection after CONNECT from unknown[186.119.65.246]
    Apr 4 23:25:41 server postfix/smtpd[10633]: disconnect from unknown[186.119.65.246]
    Apr 4 23:25:41 server postfix/smtpd[10489]: lost connection after UNKNOWN from 058177202202.ctinets.com[58.177.202.202]
    Apr 4 23:25:41 server postfix/smtpd[10489]: disconnect from 058177202202.ctinets.com[58.177.202.202]
    Apr 4 23:25:41 server postfix/smtpd[10473]: lost connection after UNKNOWN from unknown[177.225.27.5]
    Apr 4 23:25:41 server postfix/smtpd[10473]: disconnect from unknown[177.225.27.5]
    Apr 4 23:25:42 server postfix/smtpd[10514]: connect from unknown[27.54.43.210]
    Apr 4 23:25:42 server postfix/smtpd[11636]: warning: hostname localhost does not resolve to address 123.26.232.187
    Apr 4 23:25:42 server postfix/smtpd[11636]: connect from unknown[123.26.232.187]
    Apr 4 23:25:42 server postfix/smtpd[10489]: connect from adsl-ull-87-251.50-151.net24.it[151.50.251.87]
    Apr 4 23:25:42 server postfix/smtpd[11635]: connect from unknown[42.119.114.217]
    Apr 4 23:25:42 server postfix/smtpd[10513]: lost connection after UNKNOWN from 77.109.83.48.wls.msr03cen.adsl.static.edpnet.net[77.109.83.48]
    Apr 4 23:25:42 server postfix/smtpd[10513]: disconnect from 77.109.83.48.wls.msr03cen.adsl.static.edpnet.net[77.109.83.48]
    Apr 4 23:25:42 server postfix/smtpd[10473]: connect from ppp103-109.static.internode.on.net[150.101.103.109]
    Apr 4 23:25:43 server postfix/smtpd[10515]: too many errors after UNKNOWN from unknown[190.66.172.195]
    Apr 4 23:25:43 server postfix/smtpd[10515]: disconnect from unknown[190.66.172.195]
    Apr 4 23:25:43 server postfix/smtpd[10492]: lost connection after UNKNOWN from unknown[87.115.139.239]
    Apr 4 23:25:43 server postfix/smtpd[10492]: disconnect from unknown[87.115.139.239]
    Apr 4 23:25:44 server postfix/smtpd[10633]: warning: hostname 23-31-6-41-static.hfc.comcastbusiness.net does not resolve to address 23.31.6.41: Name or service not known
    Apr 4 23:25:44 server postfix/smtpd[10633]: connect from unknown[23.31.6.41]
    Apr 4 23:25:44 server postfix/smtpd[10632]: lost connection after UNKNOWN from 178.128.136.73.dsl.dyn.forthnet.gr[178.128.136.73]
    Apr 4 23:25:44 server postfix/smtpd[10632]: disconnect from 178.128.136.73.dsl.dyn.forthnet.gr[178.128.136.73]
    Apr 4 23:25:45 server postfix/smtpd[10516]: lost connection after UNKNOWN from unknown[123.16.166.170]
    Apr 4 23:25:45 server postfix/smtpd[10516]: disconnect from unknown[123.16.166.170]
    Apr 4 23:25:45 server postfix/smtpd[10488]: connect from LNantes-156-74-28-111.w82-127.abo.wanadoo.fr[82.127.191.111]
    Apr 4 23:25:45 server postfix/smtpd[10462]: lost connection after UNKNOWN from unknown[78.181.43.246]
    Apr 4 23:25:45 server postfix/smtpd[10462]: disconnect from unknown[78.181.43.246]
    Apr 4 23:25:46 server postfix/smtpd[10765]: lost connection after UNKNOWN from unknown[181.66.156.95]
    Apr 4 23:25:46 server postfix/smtpd[10765]: disconnect from unknown[181.66.156.95]
    Apr 4 23:25:46 server postfix/smtpd[10513]: connect from unknown[151.75.43.149]
    Apr 4 23:25:46 server postfix/smtpd[10611]: lost connection after UNKNOWN from rrcs-24-136-106-242.nyc.biz.rr.com[24.136.106.242]
    Apr 4 23:25:46 server postfix/smtpd[10611]: disconnect from rrcs-24-136-106-242.nyc.biz.rr.com[24.136.106.242]

  • To locate the aggressor pc I changed postfix port 25 to 583, a new port, the attack has ceased because there is no communication and the few users who use email functions called by not sending.


    I can give the new port and see who is the aggressor Trojan.


    Not the best solution but it will be effective