• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Brute force attack has put down dovecot service

O

OverWolf

Regular Pleskian
Hi,

I've received some email from watchdog that inform me that dovecot service is down for about 10 minutes, and then it is been restarted. So, I've read some log and I found that from an only ip, my server has received a series of attempts to access on dovecot.
Now, I would like to know why my server (and fail2ban) haven't response as I expected (after 3 attempts you are banned), but that ip could do several attempts before it was banned and then it put down my service.

Is there something can I do ?

Thank you

P.S.: I attach some screenshot.
 

Attachments

  • Dovecot_down_restart.png
    Dovecot_down_restart.png
    7.5 KB · Views: 14
  • Dovecot_down.png
    Dovecot_down.png
    32.3 KB · Views: 14
Fail2Ban cannot monitor logs realtime, but only neartime. There is a latency window between an event and a ban. If the log has many entries or if it is a large file of several megabytes in size, Fail2Ban will need more time to process the entries. During that latency window, attacks can continue.
 
ipset is an extension to iptables that allows to create sets of IP addresses. It does not reduce Fail2Ban latency.
 
So, what you can suggest to have a "realtime" protection ? Set a number of login attempts per minute ?
 
I doubt that there is a better solution for the situation that can be implemented on the server. There is no "realtime" protection, because that would require the service itself to monitor what is passing through it and blocking frequent connection attempts. Fail2Ban only blocks what has been written to a log, so it will not be super fast. MANUAL 0 8 - Fail2ban

You could try to limit the number of concurrent connections to the dovecot service by the corresponding mail server setting in Plesk, but if an attack closes the connection after a login attempt, it won't help, because then the connections are not concurrent. Limiting the number of dovecot processes won't help either, because the regular users will be blocked by that, too. When you know that your users are located in your area or country, you could limit IMAP port access to IPs of a certain region or country and block all others.
 
You must log in or register to reply here.

Similar threads

Jürgen_T
Question Massive Brute-Force Attacks on Plesk Panel – Looking for Additional Protection Measures
Replies
15
Views
1K
Franky H
F
T
Issue Stop Plesk Brute Force Attacks NOW: Cloudflare + Windows Server Fix
Replies
0
Views
277
TheHostingHeroes
T
brother4
Question Why isn't xmlrpc.php monitored by the WordPress jail in Fail2Ban?
Replies
8
Views
2K
Maarten
M
Polli
Issue Mails only possible with a wildcard certificate
Replies
5
Views
544
Polli
Polli
andreios
Issue Fail2ban WordPress login detection doesn't work and fail2ban couldn't be configured trough Plesk
Replies
2
Views
957
andreios
andreios
Back
Top