FAIL2BAN filters- who can give me filter to block this intrusion?

Question

I see in my mediatemple server maillog endless intrusion. i need to block these ips. who can help with filter file to match these?

Jan 21 07:51:44 mydomain postfix/smtpd[23505]: SSL_accept error from unknown[185.7.214.188]: -1
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: lost connection after STARTTLS from unknown[185.7.214.188]
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: disconnect from unknown[185.7.214.188]
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: connect from unknown[185.7.214.188]
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: SSL_accept error from unknown[185.7.214.188]: -1
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: lost connection after STARTTLS from unknown[185.7.214.188]
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: disconnect from unknown[185.7.214.188]
Jan 21 07:52:46 mydomain spamd[19730]: spamd: connection from mydomain.com [127.0.0.1] at port 35360
Jan 21 07:52:46 mydomain spamd[19728]: prefork: child states: I
Jan 21 07:54:05 mydomain postfix/smtpd[23549]: warning: hostname zg-0104b-34.stretchoid.com does not resolve to address 192.241.208.40
Jan 21 07:54:05 mydomain postfix/smtpd[23549]: connect from unknown[192.241.208.40]
Jan 21 07:54:05 mydomain postfix/smtpd[23549]: disconnect from unknown[192.241.208.40]
Jan 21 07:57:25 mydomain postfix/anvil[23507]: statistics: max connection rate 2/60s for (submission:185.7.214.188) at Jan 21 07:51:44
Jan 21 07:57:25 mydomain postfix/anvil[23507]: statistics: max connection count 1 for (submission:185.7.214.188) at Jan 21 07:51:43
Jan 21 07:57:25 mydomain postfix/anvil[23507]: statistics: max cache size 1 at Jan 21 07:51:43
Jan 21 07:57:46 mydomain spamd[19730]: spamd: connection from mydomain.com [127.0.0.1] at port 53520
Jan 21 07:57:46 mydomain spamd[19728]: prefork: child states: I
Jan 21 08:01:40 mydomain postfix/smtpd[23649]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:40 mydomain postfix/smtpd[23649]: connect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23649]: lost connection after STARTTLS from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23649]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: SSL_accept error from unknown[185.181.102.18]: -1
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: lost connection after STARTTLS from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23649]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:48 mydomain postfix/smtpd[23649]: connect from unknown[185.181.102.18]
Jan 21 08:01:49 mydomain postfix/smtpd[23649]: SSL_accept error from unknown[185.181.102.18]: -1
Jan 21 08:01:49 mydomain postfix/smtpd[23649]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
Jan 21 08:01:49 mydomain postfix/smtpd[23649]: lost connection after STARTTLS from unknown[185.181.102.18]
Jan 21 08:01:49 mydomain postfix/smtpd[23649]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:49 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18

I have postfix-sasl - how do i modify it to fit these connect errors.

Answer 1

Firstly, this is not an intrusion directly - this looks like simplest port scanning... And excepting certain flood on (postfix) ports, and probably an announcement of apps or rather the ports your server listening to the scanners side), you'd have no troubles with that.
You can surely ban them, but you must know what you do (e. g. to avoid false positives for some legitimate users of you, for instance if slow connection of someone would cause the same messages)...

To ban exactly this flood on postfix-side only, you could add this jail:

[postfix-scan]
filter =
failregex = ^\s*\S+ postfix/smtpd\[[^\]]+\]: lost connection after (?:STARTTLS|UNKNOWN) from [^\[]*\[<ADDR>\]
port = smtp,465,submission
... (logpath, backend, maxretry, findtime, etc) ...
enabled = true

(just as already said you could theoretically ban some legitimate user with that, so maybe you should increase maxretry and decrease findtime for this jail)

To ban port-scanning cardinally you could add some net-filter rules for example logging (and probably dropping) connections sending SYN packets to many ports (with some burst) or even on some packets to some closed ports.
And then you can even ban them additionally using something like - https://github.com/fail2ban/fail2ban/issues/1945