Issue Brute Force Attack - Postfix - Mail

[combatdad]

Server operating system version

Linux

Plesk version and microupdate number

Plesk Obsidian Web Admin Edition 18.0.49 Update #2

Hi All, please take a look at the screenshot.

Any help? I'm new to plesk and a novice!

It looks like my server is being brute forced from Iran.

Thanks

 

[danami]

Make sure that the Plesk firewall and fail2ban is installed and enabled. You can install them with the command:

plesk installer add --components psa-firewall fail2ban

See here for more information:

Protection Against Brute Force Attacks (Fail2Ban)

IP address banning (Fail2Ban) is an automated way to protect your server from brute force attacks. Fail2Ban uses regu...

docs.plesk.com

 

[combatdad]

Thanks @danami for your response. So, firewall and fail2ban were set up and installed, however, dovecot jail wasn't enabled, and i also noticed the banning rules weren't strong enough, the attacker was alternating IP addresses on the 0/24 network to ensure they didn't fall foul of the default 600 / 600 settings in Fail2Ban. I increased these and limited max fails to 2 - and now, fail 2 ban has started adding IP addresses from the attacking network to jail - by the end of the day, i'll have them all (i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually? In any case, grateful for the response.

 

[mow]

i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually?

I usually use grep "SASL LOGIN authentication failed" /var/log/mail.info |cut -f 5 -d ":"|sort|uniq -dc and null-route the more obnoxious ones with route add -net 194.55.224.0/24 lo if there are several in the same net or route add -host 195.133.40.157 lo for single hosts.