Forum

This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.
Sentora Support Forums Sentora Forum Archives Sentora Public Support Forums v1.0.x Email Support v1.0.x v need help ASAP

need help ASAP
rpuig Offline
Priority One Support
****
OS: Ubuntu 12.04
Version: 1.0.0
Server: Dedicated
Posts: 22
Threads: 6
Joined: Mar 2015
Reputation: 0
Thanks: 0
Given 0 thank(s) in 0 post(s)
#1
need help ASAP
 10-16-2018, 11:39 PM
hi guys !
i think my server is sending spam, a couple of day ago was receiving lots of bounced emails, so i checked the queue an it was very big. Cleared the queue and its now empty almost all the time.
Now i´m checking the mail logs and still are lots of rare lines like this :

Oct 16 08:52:58 panel postfix/smtpd[2588]: connect from unknown[191.96.249.24]
Oct 16 08:53:00 panel postfix/smtpd[2038]: warning: unknown[23.226.136.33]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:02 panel postfix/smtpd[2588]: warning: unknown[191.96.249.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:03 panel postfix/smtpd[2588]: disconnect from unknown[191.96.249.24]
Oct 16 08:53:06 panel postfix/smtpd[2038]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:06 panel postfix/smtpd[2038]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:09 panel postfix/smtpd[2627]: connect from unknown[23.226.136.33]
Oct 16 08:53:10 panel postfix/smtpd[2627]: Anonymous TLS connection established from unknown[23.226.136.33]: TLSv1 with cipher AES128-SHA (128/128 bits)
Oct 16 08:53:12 panel postfix/smtpd[2590]: connect from unknown[191.96.249.61]
Oct 16 08:53:14 panel postfix/smtpd[2627]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:14 panel postfix/smtpd[2627]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:18 panel postfix/smtpd[2588]: warning: hostname radheengineering.info does not resolve to address 191.96.249.26
Oct 16 08:53:18 panel postfix/smtpd[2588]: connect from unknown[191.96.249.26]
Oct 16 08:53:19 panel postfix/smtpd[2590]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:20 panel postfix/smtpd[2590]: disconnect from unknown[191.96.249.61]
Oct 16 08:53:22 panel postfix/smtpd[2588]: warning: unknown[191.96.249.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:22 panel postfix/smtpd[2588]: disconnect from unknown[191.96.249.26]
Oct 16 08:53:22 panel postfix/smtpd[2038]: connect from unknown[23.226.136.33]
Oct 16 08:53:24 panel postfix/smtpd[2038]: Anonymous TLS connection established from unknown[23.226.136.33]: TLSv1 with cipher AES128-SHA (128/128 bits)
Oct 16 08:53:27 panel postfix/smtpd[2038]: warning: unknown[23.226.136.33]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:27 panel postfix/smtpd[2038]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:27 panel postfix/smtpd[2038]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:29 panel postfix/smtpd[2511]: connect from unknown[191.96.249.24]
Oct 16 08:53:33 panel postfix/smtpd[2511]: warning: unknown[191.96.249.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:34 panel postfix/smtpd[2511]: disconnect from unknown[191.96.249.24]
Oct 16 08:53:43 panel postfix/smtpd[2590]: connect from unknown[191.96.249.61]
Oct 16 08:53:49 panel postfix/smtpd[2590]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:49 panel postfix/smtpd[2590]: disconnect from unknown[191.96.249.61]
Oct 16 08:53:50 panel postfix/smtpd[2588]: warning: hostname radheengineering.info does not resolve to address 191.96.249.26


i have no idea how to proceed to solve this. I´m looking for someone in the staff who can do the job, not for free obviously.
Find
Reply
Thanks given by:
fearworks Offline
Support Staff
*****
OS: CentOS 7.5
Version: 1.0.3
Server: VPS/Dedicated
Posts: 208
Threads: 4
Joined: Jun 2018
Reputation: 8
Sex: Male
Thanks: 0
Given 37 thank(s) in 33 post(s)
#2
RE: need help ASAP
 10-17-2018, 06:02 AM
(10-16-2018, 11:39 PM)rpuig Wrote: hi guys !
i think my server is sending spam, a couple of day ago was receiving lots of bounced emails, so i checked the queue an it was very big. Cleared the queue and its now empty almost all the time.
Now i´m checking the mail logs and still are lots of rare lines like this :

Oct 16 08:52:58 panel postfix/smtpd[2588]: connect from unknown[191.96.249.24]
Oct 16 08:53:00 panel postfix/smtpd[2038]: warning: unknown[23.226.136.33]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:02 panel postfix/smtpd[2588]: warning: unknown[191.96.249.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:03 panel postfix/smtpd[2588]: disconnect from unknown[191.96.249.24]
Oct 16 08:53:06 panel postfix/smtpd[2038]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:06 panel postfix/smtpd[2038]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:09 panel postfix/smtpd[2627]: connect from unknown[23.226.136.33]
Oct 16 08:53:10 panel postfix/smtpd[2627]: Anonymous TLS connection established from unknown[23.226.136.33]: TLSv1 with cipher AES128-SHA (128/128 bits)
Oct 16 08:53:12 panel postfix/smtpd[2590]: connect from unknown[191.96.249.61]
Oct 16 08:53:14 panel postfix/smtpd[2627]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:14 panel postfix/smtpd[2627]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:18 panel postfix/smtpd[2588]: warning: hostname radheengineering.info does not resolve to address 191.96.249.26
Oct 16 08:53:18 panel postfix/smtpd[2588]: connect from unknown[191.96.249.26]
Oct 16 08:53:19 panel postfix/smtpd[2590]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:20 panel postfix/smtpd[2590]: disconnect from unknown[191.96.249.61]
Oct 16 08:53:22 panel postfix/smtpd[2588]: warning: unknown[191.96.249.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:22 panel postfix/smtpd[2588]: disconnect from unknown[191.96.249.26]
Oct 16 08:53:22 panel postfix/smtpd[2038]: connect from unknown[23.226.136.33]
Oct 16 08:53:24 panel postfix/smtpd[2038]: Anonymous TLS connection established from unknown[23.226.136.33]: TLSv1 with cipher AES128-SHA (128/128 bits)
Oct 16 08:53:27 panel postfix/smtpd[2038]: warning: unknown[23.226.136.33]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:27 panel postfix/smtpd[2038]: lost connection after AUTH from unknown[23.226.136.33]
Oct 16 08:53:27 panel postfix/smtpd[2038]: disconnect from unknown[23.226.136.33]
Oct 16 08:53:29 panel postfix/smtpd[2511]: connect from unknown[191.96.249.24]
Oct 16 08:53:33 panel postfix/smtpd[2511]: warning: unknown[191.96.249.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:34 panel postfix/smtpd[2511]: disconnect from unknown[191.96.249.24]
Oct 16 08:53:43 panel postfix/smtpd[2590]: connect from unknown[191.96.249.61]
Oct 16 08:53:49 panel postfix/smtpd[2590]: warning: unknown[191.96.249.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 16 08:53:49 panel postfix/smtpd[2590]: disconnect from unknown[191.96.249.61]
Oct 16 08:53:50 panel postfix/smtpd[2588]: warning: hostname radheengineering.info does not resolve to address 191.96.249.26


i have no idea how to proceed to solve this. I´m looking for someone in the staff who can do the job, not for free obviously.

There definitely appears to be log in attempts, but this very small snapshot of the log doesn't really show everything that you have described, so it's difficult to diagnose.

Perhaps you could install Fail2Ban and enable the Postfix protection, and see if that helps stop the log in attempts.

Keith
Find
Reply
Thanks given by:
rpuig Offline
Priority One Support
****
OS: Ubuntu 12.04
Version: 1.0.0
Server: Dedicated
Posts: 22
Threads: 6
Joined: Mar 2015
Reputation: 0
Thanks: 0
Given 0 thank(s) in 0 post(s)
#3
RE: need help ASAP
 10-17-2018, 06:10 AM
thanks for the reply!
i will look Fail2ban, to see if i can install it.
Find
Reply
Thanks given by:
TGates Offline
Sentora Council - Head of Support Team
*******
OS: Ubuntu 20.04 LTS
Version: 2.0.2
Server: i7-6700K @ 4GHz, 8 cores 32GB Ram
Posts: 3 ,662
Threads: 241
Joined: May 2014
Reputation: 85
Sex: Male
Thanks: 408
Given 599 thank(s) in 464 post(s)
#4
RE: need help ASAP
 10-19-2018, 07:09 AM
(10-17-2018, 06:10 AM)rpuig Wrote: thanks for the reply!
i will look Fail2ban, to see if i can install it.

Fail2Ban should already be on your server Rodrigo. I also get the same logs. It is spam servers trying to find holes in your server to send spam. If you notice they are warnings. They should also be being blocked from multiple attacks from one of the routines I installed on your server. You should be OK.
I'll take a look tonight.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE
Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Find
Reply
Thanks given by:


Forum Jump:


Users browsing this thread: 1 Guest(s)