How are you?
I am experiencing a bot attack. My problem is that I created a fail2ban service on Linksys WRT 3200ACM and 1900ACS.
What is weird is that it works with fail2ban, but for some reason it is not working.
Is it because iptables are not working with OpenWrt? It has its own ip tables:
Maybe I'm missing something, but blocking packets at your firewall doesn't magically make the sender stop sending them, even if you send an unreachable message.
You might want to run a reverse lookup on that IP address. It looks like it starts with mail. and your rule name contains postfix. Somehow I doubt its a "bot attack" given that.
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: lost connection after AUTH from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: disconnect from unknown[142.44.131.70] ehlo=2 starttls=1 auth=0/1 commands=3/4
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[13088]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[13087]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[13038]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[14238]: connect from unknown[142.44.131.70]
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: warning: hostname mail.alltrackingweb.info does not resolve to address 142.44.131.70: Name or service not known
Feb 16 17:41:34 server postfix/submission/smtpd[27937]: connect from unknown[142.44.131.70]
Feb 16 17:41:37 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[27937]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:42 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:43 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[27937]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:52 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:41:53 server postfix/submission/smtpd[13088]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 16 17:42:02 server postfix/submission/smtpd[14238]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:42:02 server postfix/submission/smtpd[13038]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
Feb 16 17:42:02 server postfix/submission/smtpd[13087]: warning: unknown[142.44.131.70]: SASL LOGIN authentication failed: Connection lost to authentication server
the problem is, that iptables-save just saves the ip tables, but fail2ban already using a sql lite server and restores...
what is werid is with openwrt, that the iptables look right, but the "attack" is still happening.