Vladislav
By:
Vladislav

Re IP 185.125.4.197: How to reject such connections

April 20, 2016 798 views
Email Security Ubuntu

Guys, Hi!

I see in my mail.log file there this server (IP 185.125.4.197) try to connect my server.
There are some records from /var/log/syslog
Apr 20 08:54:06 -- postfix/smtpd[21689]: connect from unknown[185.125.4.197]
Apr 20 08:54:06 -- postfix/smtpd[21689]: lost connection after AUTH from unknown[185.125.4.197]
Apr 20 08:54:06 -- postfix/smtpd[21689]: disconnect from unknown[185.125.4.197]
Apr 20 08:57:26 -- postfix/anvil[21691]: statistics: max connection rate 1/60s for (smtp:185.125.4.197) at Apr 20 08:54:06
Apr 20 08:57:26 -- postfix/anvil[21691]: statistics: max connection count 1 for (smtp:185.125.4.197) at Apr 20 08:54:06
Apr 20 08:57:26 -- postfix/anvil[21691]: statistics: max cache size 1 at Apr 20 08:54:06

The main question should I worry aboit it? And could I make some changes in some config files to reject such non-authorize connections.

Thank you anyway!

1 Answer

A good starting point would be to setup Fail2Ban:
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04
This guide shows you how to ban traffic via SSH, but you can also expand Fail2Ban with filters to help with SMTP: http://www.fail2ban.org/wiki/index.php/Sendmail

by Justin Ellingwood
Fail2ban is a daemon that can be run on your server to dynamically block clients that fail to authenticate correctly with your services repeatedly. This can help mitigate the affect of brute force attacks and illegitimate users of your services. In this guide, we'll show demonstrate how to install and configure fail2ban to protect SSH and Nginx on an Ubuntu 14.04 server.
Have another answer? Share your knowledge.