This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

need help ASAP
#1
need help ASAP
hi guys !
i think my server is sending spam, a couple of day ago was receiving lots of bounced emails, so i checked the queue an it was very big. Cleared the queue and its now empty almost all the time.
Now i´m checking the mail logs and still are lots of rare lines like this :

Oct 16 08:52:58 panel postfix/smtpd[2588]: connect from unknown[191.96.249.24]
Oct 16 08:53:00 panel postfix/smtpd[2038]: warning: unknown[23.226.136.33]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:02 panel postfix/smtpd[2588]: warning: unknown[191.96.249.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:03 panel postfix/smtpd[2588]: disconnect from unknown[191.96.249.24]
Oct 16 08:53:06 panel postfix/smtpd[2038]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:06 panel postfix/smtpd[2038]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:09 panel postfix/smtpd[2627]: connect from unknown[23.226.136.33]
Oct 16 08:53:10 panel postfix/smtpd[2627]: Anonymous TLS connection established from unknown[23.226.136.33]: TLSv1 with cipher AES128-SHA (128/128 bits)
Oct 16 08:53:12 panel postfix/smtpd[2590]: connect from unknown[191.96.249.61]
Oct 16 08:53:14 panel postfix/smtpd[2627]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:14 panel postfix/smtpd[2627]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:18 panel postfix/smtpd[2588]: warning: hostname radheengineering.info does not resolve to address 191.96.249.26
Oct 16 08:53:18 panel postfix/smtpd[2588]: connect from unknown[191.96.249.26]
Oct 16 08:53:19 panel postfix/smtpd[2590]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:20 panel postfix/smtpd[2590]: disconnect from unknown[191.96.249.61]
Oct 16 08:53:22 panel postfix/smtpd[2588]: warning: unknown[191.96.249.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:22 panel postfix/smtpd[2588]: disconnect from unknown[191.96.249.26]
Oct 16 08:53:22 panel postfix/smtpd[2038]: connect from unknown[23.226.136.33]
Oct 16 08:53:24 panel postfix/smtpd[2038]: Anonymous TLS connection established from unknown[23.226.136.33]: TLSv1 with cipher AES128-SHA (128/128 bits)
Oct 16 08:53:27 panel postfix/smtpd[2038]: warning: unknown[23.226.136.33]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:27 panel postfix/smtpd[2038]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:27 panel postfix/smtpd[2038]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:29 panel postfix/smtpd[2511]: connect from unknown[191.96.249.24]
Oct 16 08:53:33 panel postfix/smtpd[2511]: warning: unknown[191.96.249.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:34 panel postfix/smtpd[2511]: disconnect from unknown[191.96.249.24]
Oct 16 08:53:43 panel postfix/smtpd[2590]: connect from unknown[191.96.249.61]
Oct 16 08:53:49 panel postfix/smtpd[2590]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:49 panel postfix/smtpd[2590]: disconnect from unknown[191.96.249.61]
Oct 16 08:53:50 panel postfix/smtpd[2588]: warning: hostname radheengineering.info does not resolve to address 191.96.249.26


i have no idea how to proceed to solve this. I´m looking for someone in the staff who can do the job, not for free obviously.
Reply
Thanks given by:
#2
RE: need help ASAP
(10-16-2018, 11:39 PM)rpuig Wrote: hi guys !
i think my server is sending spam, a couple of day ago was receiving lots of bounced emails, so i checked the queue an it was very big. Cleared the queue and its now empty almost all the time.
Now i´m checking the mail logs and still are lots of rare lines like this :

Oct 16 08:52:58 panel postfix/smtpd[2588]: connect from unknown[191.96.249.24]
Oct 16 08:53:00 panel postfix/smtpd[2038]: warning: unknown[23.226.136.33]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:02 panel postfix/smtpd[2588]: warning: unknown[191.96.249.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:03 panel postfix/smtpd[2588]: disconnect from unknown[191.96.249.24]
Oct 16 08:53:06 panel postfix/smtpd[2038]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:06 panel postfix/smtpd[2038]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:09 panel postfix/smtpd[2627]: connect from unknown[23.226.136.33]
Oct 16 08:53:10 panel postfix/smtpd[2627]: Anonymous TLS connection established from unknown[23.226.136.33]: TLSv1 with cipher AES128-SHA (128/128 bits)
Oct 16 08:53:12 panel postfix/smtpd[2590]: connect from unknown[191.96.249.61]
Oct 16 08:53:14 panel postfix/smtpd[2627]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:14 panel postfix/smtpd[2627]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:18 panel postfix/smtpd[2588]: warning: hostname radheengineering.info does not resolve to address 191.96.249.26
Oct 16 08:53:18 panel postfix/smtpd[2588]: connect from unknown[191.96.249.26]
Oct 16 08:53:19 panel postfix/smtpd[2590]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:20 panel postfix/smtpd[2590]: disconnect from unknown[191.96.249.61]
Oct 16 08:53:22 panel postfix/smtpd[2588]: warning: unknown[191.96.249.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:22 panel postfix/smtpd[2588]: disconnect from unknown[191.96.249.26]
Oct 16 08:53:22 panel postfix/smtpd[2038]: connect from unknown[23.226.136.33]
Oct 16 08:53:24 panel postfix/smtpd[2038]: Anonymous TLS connection established from unknown[23.226.136.33]: TLSv1 with cipher AES128-SHA (128/128 bits)
Oct 16 08:53:27 panel postfix/smtpd[2038]: warning: unknown[23.226.136.33]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:27 panel postfix/smtpd[2038]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:27 panel postfix/smtpd[2038]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:29 panel postfix/smtpd[2511]: connect from unknown[191.96.249.24]
Oct 16 08:53:33 panel postfix/smtpd[2511]: warning: unknown[191.96.249.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:34 panel postfix/smtpd[2511]: disconnect from unknown[191.96.249.24]
Oct 16 08:53:43 panel postfix/smtpd[2590]: connect from unknown[191.96.249.61]
Oct 16 08:53:49 panel postfix/smtpd[2590]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:49 panel postfix/smtpd[2590]: disconnect from unknown[191.96.249.61]
Oct 16 08:53:50 panel postfix/smtpd[2588]: warning: hostname radheengineering.info does not resolve to address 191.96.249.26


i have no idea how to proceed to solve this. I´m looking for someone in the staff who can do the job, not for free obviously.

There definitely appears to be log in attempts, but this very small snapshot of the log doesn't really show everything that you have described, so it's difficult to diagnose.

Perhaps you could install Fail2Ban and enable the Postfix protection, and see if that helps stop the log in attempts.

Keith
Reply
Thanks given by:
#3
RE: need help ASAP
thanks for the reply!
i will look Fail2ban, to see if i can install it.
Reply
Thanks given by:
#4
RE: need help ASAP
(10-17-2018, 06:10 AM)rpuig Wrote: thanks for the reply!
i will look Fail2ban, to see if i can install it.

Fail2Ban should already be on your server Rodrigo. I also get the same logs. It is spam servers trying to find holes in your server to send spam. If you notice they are warnings. They should also be being blocked from multiple attacks from one of the routines I installed on your server. You should be OK.
I'll take a look tonight.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:


Forum Jump:


Users browsing this thread: 1 Guest(s)