List rogue connections

List rogue connections

Postby sjoram » Tue Aug 27, 2019 9:41 am

I'm seeing a significant increase in the number of remote rogue hosts attempting connections to AMS, mainly via SMTP.

I see these failing in the logs and login being disallowed. Is there any way to get a 'list' of addresses that have failed, for example, within the past 24 hours, so that I could add these to be dropped at a network (firewall) level? I have seen instances where CPU utilisation has spiked with AMS and I have had to restart the service to recover. My suspicion is due to spikes in concurrent rogue connections.
sjoram
 
Posts: 24
Joined: Fri Sep 26, 2008 10:45 pm

Re: List rogue connections

Postby Code Crafters » Tue Aug 27, 2019 10:10 pm

You can only gather this information from the SMTP logs as you mentioned.

If you want us to create you a custom app to search the logs and output certain offending IPs to another file, we can give you a quote to do this. If interested, contact info@codecrafters.com for more information.
Code Crafters
 
Posts: 872
Joined: Mon Sep 10, 2007 2:35 pm

Re: List rogue connections

Postby sjoram » Fri Aug 30, 2019 10:16 pm

Thanks, I have dropped a /16 network on my firewall which has eliminated a fair swathe of recent rogue traffic.

I'm still seeing AMS sitting at no less than 50% CPU and having spikes up towards 100% when clients connect. One mobile device has started having problems with both push (IDLE) and fetch style IMAP in the past few days.

I am running an older version of 3.x that hasn't had an update in quite some time and has only recently begun exhibiting this behaviour, so I can't even be sure that upgrading to the latest version 4.x will improve, but that is on my list to do in the near future. Home server, so budget considerations! :D
sjoram
 
Posts: 24
Joined: Fri Sep 26, 2008 10:45 pm

Re: List rogue connections

Postby sjoram » Sat Aug 31, 2019 7:20 am

I've now switched all of my Android clients to fetch every 15 mins rather than operate on push and they seem to have settled, for now.

One was refusing to connect at all for some time due to a "security error". I'm using a Let's Encrypt wildcard SSL which is working fine on other clients.

I had used IISCrypto set to 'best practices', I re-enabled some old protocols in case that was causing an issue, but haven't rebooted the OS since making that change.
sjoram
 
Posts: 24
Joined: Fri Sep 26, 2008 10:45 pm

Re: List rogue connections

Postby Code Crafters » Wed Sep 04, 2019 10:13 pm

Ability Mail Server 4 has a new much improved WebMail system. It also has newer SSL updates but otherwise, it may not improve your issues. You can try it free for 30 days to see if it helps though. See https://www.codecrafters.com/AbilityMailServer/Download to download a free trial and https://www.codecrafters.com/AbilityMai ... ateHistory for all updates.
Code Crafters
 
Posts: 872
Joined: Mon Sep 10, 2007 2:35 pm


Return to General

Who is online

Users browsing this forum: No registered users and 1 guest

cron