Mail.log has many references to 185.234.218.156?
In my mail.log, every few minutes is a reference such as the following. Why?
Dec 13 17:43:16 adonax postfix/smtpd[4350]: connect from unknown[185.234.218.156]
Dec 13 17:43:17 adonax postfix/smtpd[4350]: lost connection after AUTH from unknown[185.234.218.156]
Dec 13 17:43:17 adonax postfix/smtpd[4350]: disconnect from unknown[185.234.218.156] ehlo=1 auth=0/1 commands=1/2
I did a whois search and got this:
IP Information for 185.234.218.156
Quick Stats
IP Location Ireland Ireland Cork World Hosting Farm Limited
ASN Ireland AS197226 SPRINT-SDC, PL (registered Aug 17, 2010)
Whois Server whois.ripe.net
IP Address 185.234.218.156
Are other people experiencing this? Is it known to be benign or malicious?
1 Reply
On the command line you can use host 185.234.218.156 and whois 185.234.218.156 and there are websites that do the same sort of things. Maybe just googling "whois 185.234.218.156" might work, I'm not sure.
I'm not exactly sure what it's trying to do, but since it says lost connection after AUTH, it might be trying to bruteforce an account so it can use your server to send spam.
You can configure fail2ban to block these. Maybe google postfix fail2ban for a tutorial. I would bet $5 there's a guide on linode to do exactly that if you want to search the linode tutorials.