[BlueOnyx:22531] Re: APF & Dfix2

Wed Dec 5 03:03:37 -05 2018

On 04.12.18 17:51, Michael Stauber wrote:
> Hi Meaulnes,
>> # added 83.76.86.xxx on 12/04/18 12:09:33 with comment: dFixblock2
>> #83.76.86.xxx
> It would be interesting to see why you got blocked in first place. The
> logfile /var/log/secure or /var/log/messages has more info on that.

# less /var/log/secure | grep 83.76.86.xxx
Dec  3 13:37:41 vs sshd[2067]: Accepted password for root from 83.76.86.xxx port 64321 ssh2
Dec  3 14:29:59 vs sshd[2067]: Received disconnect from 83.76.86.xxx port 64321:11: disconnected by user
Dec  3 14:29:59 vs sshd[2067]: Disconnected from 83.76.86.xxx port 64321
Dec  3 14:30:07 vs sshd[8076]: Accepted password for root from 83.76.86.xxx port 65345 ssh2
Dec  3 16:21:02 vs sshd[20793]: Accepted password for root from 83.76.86.xxx port 50320 ssh2
Dec 3 18:53:12 vs sshd[6062]: Connection closed by 83.76.86.xxx port 52402 [preauth]
Dec  4 07:23:52 vs sshd[26926]: Accepted password for root from 83.76.86.xxx port 57483 ssh2
Dec  4 07:43:26 vs sshd[26926]: Received disconnect from 83.76.86.xxx port 57483:11: disconnected by user
Dec  4 07:43:26 vs sshd[26926]: Disconnected from 83.76.86.xxx port 57483
Dec  4 07:47:37 vs sshd[28629]: Accepted password for root from 83.76.86.xxx port 57648 ssh2
Dec  4 08:11:56 vs sshd[28629]: Received disconnect from 83.76.86.xxx port 57648:11: disconnected by user
Dec  4 08:11:56 vs sshd[28629]: Disconnected from 83.76.86.xxx port 57648
Dec  4 12:09:33 vs sshd[16055]: Failed password for root from 83.76.86.xxx port 59640 ssh2
Dec  4 12:31:20 vs sshd[22456]: Accepted password for root from 83.76.86.xxx port 59828 ssh2
Dec  4 13:00:48 vs sshd[22456]: Received disconnect from 83.76.86.xxx port 59828:11: disconnected by user
Dec  4 13:00:48 vs sshd[22456]: Disconnected from 83.76.86.xxx port 59828
Dec  4 15:56:40 vs sshd[11876]: Accepted password for root from 83.76.86.xxx port 61100 ssh2
Dec  4 17:49:28 vs sshd[21364]: Accepted password for root from 83.76.86.xxx port 49728 ssh2
Dec  4 19:52:24 vs sshd[21364]: Received disconnect from 83.76.86.xxx port 49728:11: disconnected by user
Dec  4 19:52:24 vs sshd[21364]: Disconnected from 83.76.86.xxx port 49728

I don't see anything special except maybe the [preauth] line... Here the adjacent lines:

Dec  3 18:49:25 vs auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=gast rhost=89.248.162.159
Dec  3 18:52:59 vs sshd[29989]: Received disconnect from 94.103.my.ip port 39294:11: disconnected by user
Dec  3 18:52:59 vs sshd[29989]: Disconnected from 94.103.my.ip port 39294
Dec  3 18:52:59 vs sshd[29989]: pam_unix(sshd:session): session closed for user root
Dec 3 18:53:12 vs sshd[6062]: Connection closed by 83.76.86.xxx port 52402 [preauth]
Dec  3 18:54:10 vs auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=operator rhost=89.248.162.159  user=operator

/var/log/messages looks pretty harmless:

# less /var/log/messages | grep 83.76.86.xxx
Dec  2 14:30:35 vs apf: apf(13325): {trust IPv4} allow all to/from 83.76.86.xxx
Dec  2 14:31:25 vs apf: apf(15388): {trust IPv4} allow all to/from 83.76.86.xxx
Dec  2 15:42:05 vs apf: apf(22135): {trust IPv4} allow all to/from 83.76.86.xxx
Dec  2 15:42:24 vs apf: apf(24164): {trust IPv4} allow all to/from 83.76.86.xxx
Dec  3 13:31:24 vs apf: apf(32208): {trust IPv4} allow all to/from 83.76.86.xxx
Dec  3 17:58:25 vs apf: apf(32315): {trust IPv4} allow all to/from 83.76.86.xxx
Dec  4 12:12:00 vs apf: apf(18790): {trust IPv4} allow all to/from 83.76.86.xxx
Dec  4 15:43:57 vs apf: apf(9099): {trust IPv4} allow all to/from 83.76.86.xxx

> Other than that: Please consider uninstall Dfix2 and to switch to
> Fail2ban, whose ruleset causes fewer false positives and detects more stuff.

will do.

Thank you Michael

_~_
'¿')
`-´ 	 Meaulnes Legler

  Zurich, Switzerland

+41¦0 44 260 16 60

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20181205/dd237dbb/attachment.html>