ipqbdb-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Logs of the firewall at work


From: Alessandro Vesely
Subject: Logs of the firewall at work
Date: Sat, 2 Nov 2019 11:10:25 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0

Hi all,

comparing the log lines by ibd-parse in daemon.log with the original data that 
it parse can reveal the underlying work of the firewall.

For a given IP, 45.142.195.5, daemon.log is quite terse:

    2019-11-01 20:15:14 CET, 45.142.195.5, old decay: 345600, prob: 39.30%, 
SMTP auth dictionary attack
    2019-11-01 21:35:25 CET, 45.142.195.5, old decay: 691200, prob: 77.85%, 
SMTP auth dictionary attack


The output of ibd-del --ls-simple shows the date, which explains those high 
decay and percentages:

    45.142.195.5 was caught 22 times since Fri Sep 20 17:59:57 2019


The original data from the mail log reveals how many times the firewall blocked 
TCP connections from that IP.  The OUTPUT chain is queued to ibd-judge in table 
raw, then, if a packet got marked, is rejected with tcp-reset.  The reset 
packet goes to its originator, courieresmtpd.  The SMTP daemon notices the 
connection reset only if it happens while it is writing.  Failure to read have 
it exit silently:

    2019-11-01 20:13:17 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[44556]
    2019-11-01 20:14:14 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[36814]
    2019-11-01 20:15:09 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[57282]
    2019-11-01 20:15:14 CET 45.142.195.5 courieresmtpd: 
error,relay=45.142.195.5,msg="535 Authentication failed.",cmd: AUTH LOGIN 
address@hidden
    2019-11-01 20:16:35 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[49548]
    2019-11-01 20:17:53 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[33570]
    2019-11-01 20:21:06 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[37590]
    2019-11-01 20:23:16 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[41322]
    2019-11-01 20:25:35 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[53104]
    2019-11-01 20:27:23 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[36476]
    2019-11-01 20:29:12 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[48212]
    2019-11-01 20:31:24 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[51654]
    2019-11-01 20:32:49 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[43420]
    2019-11-01 20:34:05 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[54580]
    2019-11-01 20:36:24 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[37546]
    2019-11-01 20:37:40 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[48632]
    2019-11-01 20:38:34 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[39920]
    2019-11-01 20:39:28 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[59466]
    2019-11-01 20:40:54 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[50850]
    2019-11-01 20:41:17 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[42110]
    2019-11-01 20:42:11 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[33260]
    2019-11-01 20:43:06 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[52548]
    2019-11-01 20:44:00 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[43552]
    2019-11-01 20:44:54 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[34696]
    2019-11-01 20:46:20 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[54250]
    2019-11-01 20:48:31 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[55418]
    2019-11-01 20:50:50 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[37290]
    2019-11-01 20:52:07 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[47138]
    2019-11-01 20:53:01 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[38014]
    2019-11-01 20:54:26 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[57118]
    2019-11-01 20:55:43 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[38628]
    2019-11-01 20:56:37 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[57610]
    2019-11-01 20:58:02 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[48486]
    2019-11-01 21:00:45 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[49154]
    2019-11-01 21:02:56 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[49672]
    2019-11-01 21:04:21 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[40324]
    2019-11-01 21:05:15 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[59378]
    2019-11-01 21:06:09 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[50106]
    2019-11-01 21:07:26 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[59562]
    2019-11-01 21:08:51 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[50240]
    2019-11-01 21:09:45 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[40900]
    2019-11-01 21:10:39 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[59896]
    2019-11-01 21:11:02 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[50604]
    2019-11-01 21:11:56 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[41356]
    2019-11-01 21:13:45 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[50908]
    2019-11-01 21:15:11 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[41576]
    2019-11-01 21:17:22 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[42036]
    2019-11-01 21:20:03 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[42184]
    2019-11-01 21:21:51 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[51764]
    2019-11-01 21:25:04 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[52124]
    2019-11-01 21:28:40 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[43354]
    2019-11-01 21:29:57 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[52896]
    2019-11-01 21:30:52 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[43638]
    2019-11-01 21:31:46 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[34338]
    2019-11-01 21:35:21 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[53320]
    2019-11-01 21:35:25 CET 45.142.195.5 courieresmtpd: 
error,relay=45.142.195.5,msg="535 Authentication failed.",cmd: AUTH LOGIN 
address@hidden
    2019-11-01 21:55:11 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[46442]
    2019-11-01 21:58:25 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[46566]
    2019-11-01 22:02:55 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[56346]
    2019-11-01 22:07:24 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[37418]
    2019-11-01 22:21:49 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[58086]
    2019-11-01 22:32:38 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[59760]
    2019-11-01 22:53:22 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[43690]
    2019-11-01 22:56:05 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[44430]
    2019-11-01 23:27:37 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[58038]
    2019-11-01 23:33:01 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[53890]
    2019-11-02 00:09:59 CET 45.142.195.5 courieresmtpd: 
error,relay=45.142.195.5,msg="writev: Connection reset by peer",cmd:
    2019-11-02 00:14:29 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[49356]
    2019-11-02 00:18:29 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[59448]
    2019-11-02 00:28:56 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[41444]
    2019-11-02 00:31:38 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[41862]
    2019-11-02 00:35:14 CET 45.142.195.5 courieresmtpd: 
error,relay=45.142.195.5,msg="writev: Connection reset by peer",cmd:
    2019-11-02 00:45:09 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[43560]
    2019-11-02 00:47:51 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[43800]
    2019-11-02 00:50:57 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[34904]
    2019-11-02 01:00:29 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[54542]
    2019-11-02 01:01:46 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[35874]
    2019-11-02 01:03:34 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[45476]
    2019-11-02 01:05:55 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[55214]
    2019-11-02 01:09:31 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[46114]
    2019-11-02 01:20:21 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[46862]
    2019-11-02 01:21:38 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[56280]
    2019-11-02 01:24:51 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[56410]
    2019-11-02 01:33:52 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[48740]
    2019-11-02 01:37:28 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[40046]
    2019-11-02 01:43:47 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[59270]
    2019-11-02 01:59:08 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[40728]
    2019-11-02 02:08:10 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[60664]
    2019-11-02 02:18:05 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[42844]
    2019-11-02 02:31:37 CET 45.142.195.5 courieresmtpd: 
error,relay=45.142.195.5,msg="writev: Connection reset by peer",cmd:
    2019-11-02 02:45:31 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[37824]
    2019-11-02 02:46:57 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[56810]
    2019-11-02 03:09:52 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[40052]
    2019-11-02 03:11:18 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[58984]
    2019-11-02 03:16:12 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[59600]
    2019-11-02 03:20:20 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[50534]
    2019-11-02 03:24:50 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[60196]
    2019-11-02 03:32:27 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[32930]
    2019-11-02 03:37:51 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[33802]
    2019-11-02 03:41:28 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[52872]
    2019-11-02 03:45:05 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[43978]
    2019-11-02 03:54:37 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[35224]
    2019-11-02 03:57:20 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[35456]
    2019-11-02 04:00:26 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[54494]
    2019-11-02 04:04:33 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[45558]
    2019-11-02 04:07:15 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[45650]
    2019-11-02 04:16:41 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[56762]
    2019-11-02 04:19:00 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[38022]
    2019-11-02 04:22:36 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[57236]
    2019-11-02 04:30:13 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[58320]
    2019-11-02 04:33:49 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[48940]
    2019-11-02 04:38:50 CET 45.142.195.5 courieresmtpd: 
started,ip=[45.142.195.5],port=[59038]


Best
Ale




reply via email to

[Prev in Thread] Current Thread [Next in Thread]