Find the answer to your Linux question:
Results 1 to 3 of 3
hey all hope someone can help Iam not really sure that i can do anything about it but it looks like a robot is trying to gain access to my ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2013
    Posts
    1

    suspicious login attempts in postfix log


    hey all hope someone can help

    Iam not really sure that i can do anything about it but it looks like a robot is trying to gain access to my mail server, i have alot of these in my log (not many but still enough so iam worried): i changed the "At sign"

    Mar 14 01:29:23 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rochelle - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]
    Mar 14 01:29:24 server1 pop3d: Connection, ip=[::ffff:124.93.236.162]
    Mar 14 01:29:29 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rod - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]
    Mar 14 01:29:30 server1 pop3d: Connection, ip=[::ffff:124.93.236.162]
    Mar 14 01:29:36 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rodent - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]
    Mar 14 01:29:37 server1 pop3d: Connection, ip=[::ffff:124.93.236.162]
    Mar 14 01:29:43 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rodger - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]
    Mar 14 01:29:44 server1 pop3d: Connection, ip=[::ffff:124.93.236.162]
    Mar 14 01:29:51 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rodolphe - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]

    Should i do anything ?? maybe change IMAP port ? using standard 143

  2. #2
    Just Joined!
    Join Date
    Sep 2007
    Location
    Silver Spring, MD
    Posts
    95

    Disconnect the user

    Mar 14 01:29:51 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rodolphe - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]

    I would suggest doing 1 of two things.

    Do a nslookup on the ip address and find out where it is coming from:

    IP Address: 124.93.236.162

    IP: 124.93.236.162
    Decimal: 2086530210
    Hostname: 124.93.236.162
    ISP: China Unicom Liaoning province network
    Organization: China Unicom Liaoning province network

    The next thing I would do would be to do the following:

    Code:
    iptables -L -n --line-numbers | more
    You should see if your firewall is up and running, next, if it is and you have a chain called INPUT, then run this command, if you don't have an INPUT chain, then look for the input chain or something similiar, something like rhel-version-input-chain, once you do that, just change the INPUT chain I have entered to the one you found

    Code:
    iptables -I INPUT 1 -p all -s 124.93.236.162 -m multiport --dport 443 -j DROP
    or if you like you can just block everything from that ip address

    Code:
    iptables -I INPUT 1 -p all -s 124.93.236.162 -j DROP
    I hope this helps.

    Be sure to pay attention to to the chain rules.

    Todd

  3. #3
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Location
    Charlotte, NC, USA
    Posts
    106
    Hi, Dahund,

    Welcome aboard!

    Have a look at fail2ban (Fail2ban) and OSSEC (OSSEC | OSSEC – Open Source Security). They can both block repeated attacks from the same IP. I think fail2ban is easier to setup, but OSSEC does other good things also. Either way, you will also need to run a firewall that both packages can manipulate, which will most likely be iptables, or ip6tables in your case.

    N

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •