SMTP Login attemps and autoban

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Lucitus
New user
New user
Posts: 3
Joined: 2014-10-13 22:25

SMTP Login attemps and autoban

Post by Lucitus » 2014-10-13 22:28

Does the autoban feature works also with failed SMTP logins?

Because i got this on the log:

Code: Select all

"SMTPD"	6512	127	"2014-10-13 04:16:02.156"	"188.162.43.70"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	5668	128	"2014-10-13 04:16:02.625"	"188.162.43.70"	"SENT: 220 smtp.lucitus.de ESMTP"
"SMTPD"	6656	128	"2014-10-13 04:16:02.718"	"188.162.43.70"	"RECEIVED: EHLO client.yota.ru"
"SMTPD"	6656	128	"2014-10-13 04:16:02.718"	"188.162.43.70"	"SENT: 250-smtp.lucitus.de[nl]250-SIZE 51200000[nl]250 AUTH LOGIN"
"SMTPD"	5988	128	"2014-10-13 04:16:02.984"	"188.162.43.70"	"RECEIVED: AUTH LOGIN"
"SMTPD"	5988	128	"2014-10-13 04:16:02.984"	"188.162.43.70"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	7276	128	"2014-10-13 04:16:03.125"	"188.162.43.70"	"RECEIVED: aW5mb0B6YWhuLXBsdXMtYXJ6dGhhdXMuZGU="
"SMTPD"	7276	128	"2014-10-13 04:16:03.125"	"188.162.43.70"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	4692	128	"2014-10-13 04:16:03.265"	"188.162.43.70"	"RECEIVED: ***"
"SMTPD"	4692	128	"2014-10-13 04:16:03.265"	"188.162.43.70"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	5668	129	"2014-10-13 04:16:03.671"	"188.162.43.70"	"SENT: 220 smtp.lucitus.de ESMTP"
"SMTPD"	7028	129	"2014-10-13 04:16:03.828"	"188.162.43.70"	"RECEIVED: EHLO client.yota.ru"
"SMTPD"	7028	129	"2014-10-13 04:16:03.828"	"188.162.43.70"	"SENT: 250-smtp.lucitus.de[nl]250-SIZE 51200000[nl]250 AUTH LOGIN"
"SMTPD"	5328	129	"2014-10-13 04:16:04.000"	"188.162.43.70"	"RECEIVED: AUTH LOGIN"
"SMTPD"	5328	129	"2014-10-13 04:16:04.000"	"188.162.43.70"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	6760	129	"2014-10-13 04:16:04.218"	"188.162.43.70"	"RECEIVED: aW5mb0B6YWhuLXBsdXMtYXJ6dGhhdXMuZGU="
"SMTPD"	6760	129	"2014-10-13 04:16:04.218"	"188.162.43.70"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	8300	129	"2014-10-13 04:16:04.359"	"188.162.43.70"	"RECEIVED: ***"
"SMTPD"	8300	129	"2014-10-13 04:16:04.375"	"188.162.43.70"	"SENT: 535 Authentication failed. Too many invalid logon attempts."
"SMTPD"	5668	131	"2014-10-13 04:43:41.734"	"188.162.43.70"	"SENT: 220 smtp.lucitus.de ESMTP"
"SMTPD"	5848	131	"2014-10-13 04:43:42.296"	"188.162.43.70"	"RECEIVED: EHLO client.yota.ru"
"SMTPD"	5848	131	"2014-10-13 04:43:42.312"	"188.162.43.70"	"SENT: 250-smtp.lucitus.de[nl]250-SIZE 51200000[nl]250 AUTH LOGIN"
"SMTPD"	6856	131	"2014-10-13 04:43:42.671"	"188.162.43.70"	"RECEIVED: AUTH LOGIN"
"SMTPD"	6856	131	"2014-10-13 04:43:42.671"	"188.162.43.70"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	8048	131	"2014-10-13 04:43:43.062"	"188.162.43.70"	"RECEIVED: aW5mb0B6YWhuLXBsdXMtYXJ6dGhhdXMuZGU="
"SMTPD"	8048	131	"2014-10-13 04:43:43.062"	"188.162.43.70"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	8300	131	"2014-10-13 04:43:43.468"	"188.162.43.70"	"RECEIVED: ***"
"SMTPD"	8300	131	"2014-10-13 04:43:43.484"	"188.162.43.70"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	5668	132	"2014-10-13 04:44:54.156"	"188.162.43.70"	"SENT: 220 smtp.lucitus.de ESMTP"
"SMTPD"	8048	132	"2014-10-13 04:44:54.578"	"188.162.43.70"	"RECEIVED: EHLO client.yota.ru"
"SMTPD"	8048	132	"2014-10-13 04:44:54.578"	"188.162.43.70"	"SENT: 250-smtp.lucitus.de[nl]250-SIZE 51200000[nl]250 AUTH LOGIN"
"SMTPD"	8300	132	"2014-10-13 04:44:55.062"	"188.162.43.70"	"RECEIVED: AUTH LOGIN"
"SMTPD"	8300	132	"2014-10-13 04:44:55.062"	"188.162.43.70"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	6512	132	"2014-10-13 04:44:55.593"	"188.162.43.70"	"RECEIVED: aW5mb0B6YWhuLXBsdXMtYXJ6dGhhdXMuZGU="
"SMTPD"	6512	132	"2014-10-13 04:44:55.593"	"188.162.43.70"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	8048	132	"2014-10-13 04:44:56.078"	"188.162.43.70"	"RECEIVED: ***"
"SMTPD"	8048	132	"2014-10-13 04:44:56.093"	"188.162.43.70"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	5668	133	"2014-10-13 04:45:02.796"	"188.162.43.70"	"SENT: 220 smtp.lucitus.de ESMTP"
"SMTPD"	7276	133	"2014-10-13 04:45:02.921"	"188.162.43.70"	"RECEIVED: EHLO client.yota.ru"
"SMTPD"	7276	133	"2014-10-13 04:45:02.921"	"188.162.43.70"	"SENT: 250-smtp.lucitus.de[nl]250-SIZE 51200000[nl]250 AUTH LOGIN"
"SMTPD"	3892	133	"2014-10-13 04:45:03.046"	"188.162.43.70"	"RECEIVED: AUTH LOGIN"
"SMTPD"	3892	133	"2014-10-13 04:45:03.046"	"188.162.43.70"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	7028	133	"2014-10-13 04:45:03.156"	"188.162.43.70"	"RECEIVED: aW5mb0B6YWhuLXBsdXMtYXJ6dGhhdXMuZGU="
"SMTPD"	7028	133	"2014-10-13 04:45:03.171"	"188.162.43.70"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	5988	133	"2014-10-13 04:45:03.312"	"188.162.43.70"	"RECEIVED: ***"
but no ban at all?

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: SMTP Login attemps and autoban

Post by percepts » 2014-10-13 22:37

autoban can take a little while to show in admin. Try exiting admin and restarting it. Does ban show then.

User avatar
SorenR
Senior user
Senior user
Posts: 3704
Joined: 2006-08-21 15:38
Location: Denmark

Re: SMTP Login attemps and autoban

Post by SorenR » 2014-10-13 22:45

First, I assume Auto-ban is activated ... hMailAdmin -> Settings - Advanced - Auto-ban

Second, if incoming IP Address is matched by an IP Range with a priority above 20, it will bypass Auto-ban.

Please check your IP Ranges. Even if bypassed by priority, hMailServer will still create an entry (in red) to ban the IP Address.
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
mattg
Moderator
Moderator
Posts: 20970
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SMTP Login attemps and autoban

Post by mattg » 2014-10-14 00:50

ALSO, check your 'disconnect client after too many invalid commands' , and the 'Maximum number of invalid commands' in SMTP settings >> RFC Compliance
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Lucitus
New user
New user
Posts: 3
Joined: 2014-10-13 22:25

Re: SMTP Login attemps and autoban

Post by Lucitus » 2014-10-14 19:11

mattg wrote:ALSO, check your 'disconnect client after too many invalid commands' , and the 'Maximum number of invalid commands' in SMTP settings >> RFC Compliance
How much is usefull to set?

The rest is configured like the others told above.

With Imap it is also working well tested it but trying the smtp server seems to be unaffacted from that.

User avatar
mattg
Moderator
Moderator
Posts: 20970
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SMTP Login attemps and autoban

Post by mattg » 2014-10-15 00:02

What are your settings?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Lucitus
New user
New user
Posts: 3
Joined: 2014-10-13 22:25

Re: SMTP Login attemps and autoban

Post by Lucitus » 2014-10-15 19:06

10

User avatar
mattg
Moderator
Moderator
Posts: 20970
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SMTP Login attemps and autoban

Post by mattg » 2014-10-16 01:38

So at 10 incorrect guesses that connection would have been dropped.

Change your invalid attempts down if you like, I have mine set at 5
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Lefty
New user
New user
Posts: 3
Joined: 2014-10-15 18:09

Re: SMTP Login attemps and autoban

Post by Lefty » 2014-10-16 08:29

Autoban is working for SMTP. But depending on how fast the "attacker" and the server is it can be that serveral guesses are processed before the IP is banned. I have set my autoban to 1 (one) and in 1 out of 20 times the attacker is able to try more than one password. This shows how fast hmailserver is and how slow my virtual box is writing to disk.

Post Reply