0

I was troubleshooting an outlook client trying to authenticate with the Mail server, and the client would time out ( it was an issue with a local outlook installation & machine firewall)

To identify if the connection was actually reaching the server I initiated a tcpdump and noticed that there was another machine that was continuously tying to access it. I do have fail2ban running on the server. However this issue is not reported on any logs (in the normal mode). This behaviour is also currently not having any impact on the system resource.

  1. should I just ban this IP ( it feels like a stop gap)?
  2. what kind of rule should i make ?

Packet Capture from port 587

Charm_quark
  • 105
  • 7

1 Answers1

0

should I just ban this IP ( it feels like a stop gap)?

Using fail2ban is sufficient, manual intervention is not worth the effort here. Further, this appears to be a scanner only checking if authentication is possible without LTS and no actual login attempt is made.

what kind of rule should i make ?

That requires that anything is logged, so I'd first check why this connection does not appear in your logs first.

sebix
  • 4,313
  • 2
  • 29
  • 47
  • The ip address was consistently trying to run the same scan over and over.. I did not know what it was trying to achieve. ended up permanently banning that IP. – Charm_quark Feb 16 '21 at 07:26