On Wed, 16 Nov 2016 11:52:14 +0200 Patrick Chemla <patrick.che...@perfaction.net> wrote:
> Le 16/11/2016 à 11:45, li...@lazygranch.com a écrit : > > Is this a hack or a server problem. IP was listed in abusedb about a > > year ago. > > > > <pattern repeats> > > Nov 16 09:14:36 theranch postfix/smtpd[6094]: connect from > > unknown[87.236.215.11] Nov 16 09:14:36 theranch > > postfix/smtpd[6094]: lost connection after AUTH from > > unknown[87.236.215.11] Nov 16 09:14:36 theranch > > postfix/smtpd[6094]: disconnect from unknown[87.236.215.11] ehlo=1 > > auth=0/1 commands=1/2 Nov 16 09:14:36 theranch postfix/smtpd[6094]: > > connect from unknown[87.236.215.11] Nov 16 09:14:37 theranch > > postfix/smtpd[6094]: lost connection after AUTH from > > unknown[87.236.215.11] Nov 16 09:14:37 theranch > > postfix/smtpd[6094]: disconnect from unknown[87.236.215.11] ehlo=1 > > auth=0/1 commands=1/2 Nov 16 09:14:37 theranch postfix/smtpd[6094]: > > connect from unknown[87.236.215.11] Nov 16 09:14:38 theranch > > postfix/smtpd[6094]: lost connection after AUTH from > > unknown[87.236.215.11] Nov 16 09:14:38 theranch > > postfix/smtpd[6094]: disconnect from unknown[87.236.215.11] ehlo=1 > > auth=0/1 commands=1/2 Nov 16 09:14:38 theranch postfix/smtpd[6094]: > > connect from unknown[87.236.215.11] Nov 16 09:14:39 theranch > > postfix/smtpd[6094]: lost connection after AUTH from > > unknown[87.236.215.11] Nov 16 09:14:39 theranch > > postfix/smtpd[6094]: disconnect from unknown[87.236.215.11] ehlo=1 > > auth=0/1 commands=1/2 Nov 16 09:14:39 theranch postfix/smtpd[6094]: > > connect from unknown[87.236.215.11] Nov 16 09:14:39 theranch > > postfix/smtpd[6094]: lost connection after AUTH from > > unknown[87.236.215.11] Nov 16 09:14:39 theranch > > postfix/smtpd[6094]: disconnect from unknown[87.236.215.11] ehlo=1 > > auth=0/1 commands=1/2 Nov 16 09:14:40 theranch postfix/smtpd[6094]: > > connect from unknown[87.236.215.11] Nov 16 09:14:40 theranch > > postfix/smtpd[6094]: lost connection after AUTH from > > unknown[87.236.215.11] Nov 16 09:14:40 theranch > > postfix/smtpd[6094]: disconnect from unknown[87.236.215.11] ehlo=1 > > auth=0/1 commands=1/2 Nov 16 09:18:00 theranch postfix/anvil[6096]: > > statistics: max connection rate 70/60s for (smtp:87.236.215.11) at > > Nov 16 09:14:40 Nov 16 09:18:00 theranch postfix/anvil[6096]: > > statistics: max connection count 1 for (smtp:87.236.215.11) at Nov > > 16 09:13:45 Nov 16 09:18:00 theranch postfix/anvil[6096]: > > statistics: max cache size 1 at Nov 16 09:13:45 > > Hi, > > This is a trace of 6 connections tries from IP 87.236.215.11 with bad > credential (user/passwd). > > Someone is trying to enter your server emails. Call it a hack. > > Patrick > > www.top-secured.com > Actually way more than 6 attempts. I made a quick and dirty edit to the firewall and blocked the entire CIDR 87.236.215.0/24 I don't see any usernames/domains in the log file, thus my confusion about if it is a hack or a whacked out server. Now this is something I could see setting up fail2ban to block.
