LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-04-2017, 11:41 AM   #1
harish-mn
Member
 
Registered: Sep 2016
Posts: 37

Rep: Reputation: Disabled
Unhappy botnet attack


Hello

I think someone using my mail server for spamin. My maillog shoowing like this

lost connection after AUTH from unknown
disconnect from unknown

I this is botnet attack..I configured the fail2ban but fail2ban unble to block all of this ip address

fail2ban status
systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-01-04 18:21:01 CET; 18min ago
Docs: man:fail2ban(1)
Process: 51974 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 51984 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 51987 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─51987 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Jan 04 18:21:01 dcvn001 systemd[1]: Starting Fail2Ban Service...
Jan 04 18:21:01 dcvn001 fail2ban-client[51984]: 2017-01-04 18:21:01,245 fail2ban.server [51985]: INFO Starting Fail2ban v0.9.5
Jan 04 18:21:01 dcvn001 fail2ban-client[51984]: 2017-01-04 18:21:01,245 fail2ban.server [51985]: INFO Starting in daemon mode
Jan 04 18:21:01 dcvn001 systemd[1]: Started Fail2Ban Service.

....
Please help me how to solve this issues
 
Old 01-04-2017, 01:59 PM   #2
c0wb0y
Member
 
Registered: Jan 2012
Location: Inside the oven
Distribution: Windows
Posts: 417

Rep: Reputation: 74
I think a huge bunch are actively trying to break into other people's mail servers (not just yours) to recruit them into their botnet.

The message:
Code:
lost connection after AUTH from unknown
disconnect from unknown
is pretty normal.

Because of limited information your provide, apart from the above nothing more can be inferred. Check more of the mail, fail2ban, access logs. Can you tell if you mail server is an open relay or not?
 
Old 01-04-2017, 01:59 PM   #3
c0wb0y
Member
 
Registered: Jan 2012
Location: Inside the oven
Distribution: Windows
Posts: 417

Rep: Reputation: 74
I think a huge bunch are actively trying to break into other people's mail servers (not just yours) to recruit them into their botnet.

The message:
Code:
lost connection after AUTH from unknown
disconnect from unknown
is pretty normal and expected from any public-facing services.

Because of limited information your provide, apart from the above nothing more can be inferred. Check more of the mail, fail2ban, access logs. Can you tell if you mail server is an open relay or not?
 
Old 01-04-2017, 03:36 PM   #4
harish-mn
Member
 
Registered: Sep 2016
Posts: 37

Original Poster
Rep: Reputation: Disabled
Hello

Thanks for reply

I test the open realy on MXtool box.
Here is the result
Connecting to xx.xx.xx.xx

220 xxxxxxxxx.com ESMTP Postfix [641 ms]
EHLO PWS3.mxtoolbox.com
250-xxxxxxxxx.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN [641 ms]
MAIL FROM:<supertool@mxtoolbox.com>
250 2.1.0 Ok [641 ms]
RCPT TO:<test@example.com>
454 4.7.1 <test@example.com>: Relay access denied [641 ms]
 
Old 01-04-2017, 04:32 PM   #5
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,784

Rep: Reputation: 603Reputation: 603Reputation: 603Reputation: 603Reputation: 603Reputation: 603
Quote:
Originally Posted by harish-mn View Post
I think someone using my mail server for spamin.
What makes you think that?
 
Old 01-05-2017, 08:39 AM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Code:
grep "lost connection after AUTH" /var/log/* -R
here shows
20 hits in "current" log.
101 in zgrep output from Dec 1, 2016 to Jan 3, 2017
Quite "normal" IMO on my network.

I use fail2ban to keep that in check.
The [sasl] jail in /etc/fail2ban/jail.conf shows
Code:
[sasl]

enabled  = false
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log
I presume you know how to manage fail2ban to enable this jail.
Here's a test you can run, in advance to see if fail2ban is gonna catch hits using the enabled [sasl] jail.
Code:
fail2ban-regex  /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf
"disconnect from unknown" is when the rDNS isn't set on the remote host making the connection attempt,
or a temporary DNS failure to resolve the remote host.
Code:
host 43.227.99.202
Host 202.99.227.43.in-addr.arpa. not found: 3(NXDOMAIN)
is one from my recent logs.

My fail2ban sasl jail shows:
Code:
fail2ban-client status sasl
Status for the jail: sasl
|- filter
|  |- File list:	/var/log/zimbra.log 
|  |- Currently failed:	0
|  `- Total failed:	457
`- action
   |- Currently banned:	244
Good luck.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Detection and Prevention of Blackhole Attack, Wormhole Attack in MANET Using ACO in ns2 neda_71 Linux - Virtualization and Cloud 1 07-30-2016 06:15 AM
My family is under attack 24/7 any linux or windows is rootkitted, botnet, metasploit nice1m8 Linux - Newbie 26 11-23-2013 01:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration