Triggered: repeated knocking on closed ports.

Connection by 198.108.67.48 on port: 92 got caught by honeypot at 11/28/2019 5:45:53 PM

until 2019-11-28T16:01:56+00:00, observations: 2, bad account names: 1

11/28/2019-11:45:18.093418 77.247.109.38 Protocol: 6 ET SCAN NMAP -sS window 1024

2019-11-28 H=user-78-139-200-51.tomtelnet.ru \[78.139.200.51\] F=\ rejected RCPT \: Mail not accepted. 78.139.200.51 is listed at a DNSBL.
2019-11-28 H=user-78-139-200-51.tomtelnet.ru \[78.139.200.51\] F=\ rejected RCPT \: Mail not accepted. 78.139.200.51 is listed at a DNSBL.
2019-11-28 H=user-78-139-200-51.tomtelnet.ru \[78.139.200.51\] F=\ rejected RCPT \<**REMOVED**@**REMOVED**.de\>: Mail not accepted. 78.139.200.51 is listed at a DNSBL.

Lines containing failures of 202.190.79.215
Nov 28 14:13:56 expertgeeks postfix/smtpd[24114]: connect from unknown[202.190.79.215]
Nov x@x
Nov 28 14:13:57 expertgeeks postfix/smtpd[24114]: lost connection after DATA from unknown[202.190.79.215]
Nov 28 14:13:57 expertgeeks postfix/smtpd[24114]: disconnect from unknown[202.190.79.215] ehlo=1 mail=1 rcpt=0/1 data=0/1 commands=2/4


........
-----------------------------------------------
https://www.blocklist.de/en/view.html?ip=202.190.79.215

Nov 28 15:15:42 mxgate1 postfix/postscreen[9658]: CONNECT from [113.172.165.49]:56442 to [176.31.12.44]:25
Nov 28 15:15:42 mxgate1 postfix/dnsblog[9670]: addr 113.172.165.49 listed by domain cbl.abuseat.org as 127.0.0.2
Nov 28 15:15:42 mxgate1 postfix/dnsblog[9661]: addr 113.172.165.49 listed by domain zen.spamhaus.org as 127.0.0.11
Nov 28 15:15:42 mxgate1 postfix/dnsblog[9661]: addr 113.172.165.49 listed by domain zen.spamhaus.org as 127.0.0.4
Nov 28 15:15:42 mxgate1 postfix/dnsblog[9661]: addr 113.172.165.49 listed by domain zen.spamhaus.org as 127.0.0.3
Nov 28 15:15:42 mxgate1 postfix/dnsblog[9659]: addr 113.172.165.49 listed by domain bl.spamcop.net as 127.0.0.2
Nov 28 15:15:42 mxgate1 postfix/dnsblog[9662]: addr 113.172.165.49 listed by domain b.barracudacentral.org as 127.0.0.2
Nov 28 15:15:48 mxgate1 postfix/postscreen[9658]: DNSBL rank 5 for [113.172.165.49]:56442
Nov 28 15:15:48 mxgate1 postfix/tlsproxy[9849]: CONNECT from [113.172.165.49]:56442
Nov x@x


........
------------------------------------

2019-11-28T21:08:36.858707scmdmz1 sshd\[12888\]: pam_unix\(sshd:auth\): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.175.167  user=root
2019-11-28T21:08:38.033804scmdmz1 sshd\[12888\]: Failed password for root from 222.186.175.167 port 53742 ssh2
2019-11-28T21:08:41.187331scmdmz1 sshd\[12888\]: Failed password for root from 222.186.175.167 port 53742 ssh2
...

11/28/2019-15:46:26.873621 80.82.65.60 Protocol: 6 ET DROP Dshield Block Listed Source group 1

Unauthorized connection attempt from IP address 177.63.196.52 on Port 445(SMB)

Scanning random ports - tries to find possible vulnerable services

Triggered: repeated knocking on closed ports.

SQL APT Attack
Reported by and Credit to nic@wlink.biz from IP 118.69.71.82

[SPAM] The Last Charging Cable You'll Ever Buy. Guaranteed.

Nov 28 09:14:39 eola postfix/smtpd[2888]: connect from unknown[60.168.81.246]
Nov 28 09:14:39 eola postfix/smtpd[2888]: NOQUEUE: reject: RCPT from unknown[60.168.81.246]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=x@x helo=
Nov 28 09:14:40 eola postfix/smtpd[2888]: disconnect from unknown[60.168.81.246] ehlo=1 mail=1 rcpt=0/1 quhostname=1 commands=3/4
Nov 28 09:14:40 eola postfix/smtpd[2888]: connect from unknown[60.168.81.246]
Nov 28 09:14:41 eola postfix/smtpd[2888]: lost connection after AUTH from unknown[60.168.81.246]
Nov 28 09:14:41 eola postfix/smtpd[2888]: disconnect from unknown[60.168.81.246] ehlo=1 auth=0/1 commands=1/2
Nov 28 09:14:42 eola postfix/smtpd[2888]: connect from unknown[60.168.81.246]
Nov 28 09:14:44 eola postfix/smtpd[2888]: lost connection after AUTH from unknown[60.168.81.246]
Nov 28 09:14:44 eola postfix/smtpd[2888]: disconnect from unknown[60.168.81.246] ehlo=1 auth=0/1 commands=1/2
Nov 28 09:14:44 eola........
-------------------------------