Fail2ban for the uninitiated.

Log entries explained in detail.

The IP Address, date and time are self explanatory so lets start with the get statement. The get statement could actually be a GET, POST, HEAD, INSERT statement but either way what this entry is telling you is that the user is trying to do something with the file named in the statement. What that something is depends on the GET, POST, HEAD and INSERT.

GET means they are looking at the page or post. POST means that they are trying to enter data in your database. HEAD means that they are not requesting the entire page, just the header of the page usually to compare the date to see if the page has been updated since they last looked at the page or post. INSERT means they are trying to write over the page with there own code replacing your page.

The two sets of numbers that follow these statements are the result of what happened. The first number is the apache response code. The most common response code should be 200 which means the file the user requested is available. If you get a 404 response code then the file was not available. If it is a file that you would expect to be there you need to see what the problem is and fix it. But be aware that people or scripts (written by people) will test your server to see if certain pages exist and try to exploit some vulnerability that lay on the page they are testing for. For a list of apache response codes look at my post Where to find Apache response codes and how to determine their meaning. The second number is the amount of data that was transferred back to the user by your server in bites.

That bring us to the two sets of inverted comers with information between them. The first set of inverted comers holds a variety of things including the page that the users was on when the request was made or a “-” if the correct page was returned. But the second set of inverted comers should tell you the browser the user was using and if the user is a spider or a bot then it should contain the name of the bot. But don’t rely on this with out checking because some hackers will give there bots the same name as others in an attempt to mislead the unwary. However there are hackers that don’t care and those who are proud of being able to hack your server. So they will name their bot so you will know their work.

Finally for the logs, take a look at my mail log.

Mail Log
May 1 12:35:51 Myserver postfix/anvil[14462]: statistics: max connection rate 1/60s for (smtp:220.233.2.69) at May 1 12:32:30
May 1 12:35:51 Myserver postfix/anvil[14462]: statistics: max connection count 1 for (smtp:220.233.2.69) at May 1 12:32:30
May 1 12:35:51 Myserver postfix/anvil[14462]: statistics: max cache size 1 at May 1 12:32:30
May 1 12:39:04 Myserver postfix/smtpd[14742]: connect from unknown[190.233.96.177]
May 1 12:39:06 Myserver postfix/smtpd[14742]: NOQUEUE: reject: RCPT from unknown[190.233.96.177]: 550 5.1.1 <allan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<3dadeverson@chcaustralia.com> to=<allan@binaryone.com.au> proto=ESMTP helo=<[190.233.96.177]>
May 1 12:39:06 Myserver postfix/smtpd[14742]: NOQUEUE: reject: RCPT from unknown[190.233.96.177]: 550 5.1.1 <windowsallanallan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<3dadeverson@chcaustralia.com> to=<windowsallanallan@binaryone.com.au> proto=ESMTP helo=<[190.233.96.177]>
May 1 12:39:06 Myserver postfix/smtpd[14742]: NOQUEUE: reject: RCPT from unknown[190.233.96.177]: 550 5.1.1 <memberallan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<3dadeverson@chcaustralia.com> to=<memberallan@binaryone.com.au> proto=ESMTP helo=<[190.233.96.177]>
May 1 12:39:07 Myserver postfix/smtpd[14742]: disconnect from unknown[190.233.96.177]
May 1 12:42:27 Myserver postfix/anvil[14758]: statistics: max connection rate 1/60s for (smtp:190.233.96.177) at May 1 12:39:04
May 1 12:42:27 Myserver postfix/anvil[14758]: statistics: max connection count 1 for (smtp:190.233.96.177) at May 1 12:39:04
May 1 12:42:27 Myserver postfix/anvil[14758]: statistics: max cache size 1 at May 1 12:39:04
May 1 13:13:30 Myserver postfix/smtpd[15691]: warning: 190.51.202.228: hostname 190-51-202-228.speedy.com.ar verification failed: Name or service not known
May 1 13:13:30 Myserver postfix/smtpd[15691]: connect from unknown[190.51.202.228]
May 1 13:13:32 Myserver postfix/smtpd[15694]: connect from unknown[187.1.218.28]
May 1 13:13:35 Myserver postfix/smtpd[15691]: NOQUEUE: reject: RCPT from unknown[190.51.202.228]: 550 5.1.1 <allan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<info@biniflighttraining.com.au> to=<allan@binaryone.com.au> proto=ESMTP helo=
May 1 13:13:36 Myserver postfix/smtpd[15691]: NOQUEUE: reject: RCPT from unknown[190.51.202.228]: 550 5.1.1 <windowsallanallan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<rj@binaryculture.com.au> to=<windowsallanallan@binaryone.com.au> proto=ESMTP helo=
May 1 13:13:37 Myserver postfix/smtpd[15691]: NOQUEUE: reject: RCPT from unknown[190.51.202.228]: 550 5.1.1 <memberallan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<windowsallanallan@binaryone.com.au> to=<memberallan@binaryone.com.au> proto=ESMTP helo=
May 1 13:13:40 Myserver postfix/smtpd[15694]: NOQUEUE: reject: RCPT from unknown[187.1.218.28]: 550 5.1.1 <allan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<taxdwhxkb@ancientmu.com> to=<allan@binaryone.com.au> proto=SMTP helo=
May 1 13:13:42 Myserver postfix/smtpd[15694]: disconnect from unknown[187.1.218.28]
May 1 13:13:50 Myserver postfix/smtpd[15691]: disconnect from unknown[190.51.202.228]
May 1 13:17:10 Myserver postfix/anvil[15693]: statistics: max connection rate 1/60s for (smtp:190.51.202.228) at May 1 13:13:30
May 1 13:17:10 Myserver postfix/anvil[15693]: statistics: max connection count 1 for (smtp:190.51.202.228) at May 1 13:13:30
May 1 13:17:10 Myserver postfix/anvil[15693]: statistics: max cache size 2 at May 1 13:13:32
May 1 13:49:27 Myserver postfix/smtpd[16751]: connect from unknown[200.96.37.194]
May 1 13:49:28 Myserver postfix/smtpd[16751]: NOQUEUE: reject: RCPT from unknown[200.96.37.194]: 550 5.1.1 <allan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<amphitheatrest05@3hgroup.com> to=<allan@binaryone.com.au> proto=ESMTP helo=<[200.96.37.194]>
May 1 13:49:28 Myserver postfix/smtpd[16751]: NOQUEUE: reject: RCPT from unknown[200.96.37.194]: 550 5.1.1 <windowsallanallan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<amphitheatrest05@3hgroup.com> to=<windowsallanallan@binaryone.com.au> proto=ESMTP helo=<[200.96.37.194]>
May 1 13:49:28 Myserver postfix/smtpd[16751]: NOQUEUE: reject: RCPT from unknown[200.96.37.194]: 550 5.1.1 <memberallan@binaryone.com.au>: Recipient address rejected: User unknown in virtual alias table; from=<amphitheatrest05@3hgroup.com> to=<memberallan@binaryone.com.au> proto=ESMTP helo=<[200.96.37.194]>
May 1 13:49:29 Myserver postfix/smtpd[16751]: disconnect from unknown[200.96.37.194]

By this time you should be able to look at this log and see the obvious details that we have covered previously. So I am not going to cover them again. Take a look at the sections of the log that look like this “reject: RCPT from unknown[200.96.37.194]: 550 5.1.1 ”. This is a particularly insidious type of hack attempt. Basically what the hacker is doing, is sending mail with forged sender addresses to your server. Then your server replies to an innocent server with undeliverable mail notifications. The hacker tries to use lots of servers to flood the innocent server, causing a denial of service attack. This is called backscatter mail. For more information on backscatter mail see http://www.postfix.org/BACKSCATTER_README.html

As you should be able to see, hackers will try many ways to cause problems with your server or try to use your server to attack another innocent server. The trick is finding a way to stop them in their tracks. Apart from sitting all day reading your log files and taking the appropriate actions what you need is a program to look after it for you. That is where fail2ban comes in.

Over the coming posts I will look at the configuration for fail2ban to look after the logs for you.

About 

Allan has a life time background in sales and more than thirty years experience in programming, and server configuration. Which makes Allan extremely well equipped to understand your needs for any application or web site. Contact Allan to develop an application or web site for your business or for you personally.

Leave a Reply