• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Brute Force Attack - Postfix - Mail

C

combatdad

New Pleskian
Server operating system version
Linux
Plesk version and microupdate number
Plesk Obsidian Web Admin Edition 18.0.49 Update #2
Hi All, please take a look at the screenshot.

Any help? I'm new to plesk and a novice!

It looks like my server is being brute forced from Iran.

Thanks
 

Attachments

  • Screenshot 4.png
    Screenshot 4.png
    75.2 KB · Views: 10
Make sure that the Plesk firewall and fail2ban is installed and enabled. You can install them with the command:

Code: 
plesk installer add --components psa-firewall fail2ban

See here for more information:
docs.plesk.com

Protection Against Brute Force Attacks (Fail2Ban)

IP address banning (Fail2Ban) is an automated way to protect your server from brute force attacks. Fail2Ban uses regu...
docs.plesk.com docs.plesk.com
 
Thanks @danami for your response. So, firewall and fail2ban were set up and installed, however, dovecot jail wasn't enabled, and i also noticed the banning rules weren't strong enough, the attacker was alternating IP addresses on the 0/24 network to ensure they didn't fall foul of the default 600 / 600 settings in Fail2Ban. I increased these and limited max fails to 2 - and now, fail 2 ban has started adding IP addresses from the attacking network to jail - by the end of the day, i'll have them all (i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually? In any case, grateful for the response.
 
combatdad said:
i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually?
Click to expand...
I usually use grep "SASL LOGIN authentication failed" /var/log/mail.info |cut -f 5 -d ":"|sort|uniq -dc and null-route the more obnoxious ones with route add -net 194.55.224.0/24 lo if there are several in the same net or route add -host 195.133.40.157 lo for single hosts.
 
You must log in or register to reply here.

Similar threads

brother4
Question Why isn't xmlrpc.php monitored by the WordPress jail in Fail2Ban?
Replies
8
Views
449
Maarten
M
andreios
Issue Fail2ban WordPress login detection doesn't work and fail2ban couldn't be configured trough Plesk
Replies
2
Views
564
andreios
andreios
MSZ
Forwarded to devs Fail2ban: how to get Plesk default jails & filters after re-install?
Replies
4
Views
946
schlegld
S
F
Question How to disable/restrict by IP <server-ip>/login_up.php ?
Replies
4
Views
1K
W4ru
W
K
Resolved Urgent Help Postfix on Plesk
Replies
5
Views
226
learning_curve
learning_curve
Back
Top