• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Brute Force Attack - Postfix - Mail

combatdad

New Pleskian
Server operating system version
Linux
Plesk version and microupdate number
Plesk Obsidian Web Admin Edition 18.0.49 Update #2
Hi All, please take a look at the screenshot.

Any help? I'm new to plesk and a novice!

It looks like my server is being brute forced from Iran.

Thanks
 

Attachments

  • Screenshot 4.png
    Screenshot 4.png
    75.2 KB · Views: 10
Make sure that the Plesk firewall and fail2ban is installed and enabled. You can install them with the command:

Code:
plesk installer add --components psa-firewall fail2ban

See here for more information:
 
Thanks @danami for your response. So, firewall and fail2ban were set up and installed, however, dovecot jail wasn't enabled, and i also noticed the banning rules weren't strong enough, the attacker was alternating IP addresses on the 0/24 network to ensure they didn't fall foul of the default 600 / 600 settings in Fail2Ban. I increased these and limited max fails to 2 - and now, fail 2 ban has started adding IP addresses from the attacking network to jail - by the end of the day, i'll have them all (i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually? In any case, grateful for the response.
 
i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually?
I usually use grep "SASL LOGIN authentication failed" /var/log/mail.info |cut -f 5 -d ":"|sort|uniq -dc and null-route the more obnoxious ones with route add -net 194.55.224.0/24 lo if there are several in the same net or route add -host 195.133.40.157 lo for single hosts.
 
Back
Top