• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Issue Brute Force Attack - Postfix - Mail

combatdad

New Pleskian
Server operating system version
Linux
Plesk version and microupdate number
Plesk Obsidian Web Admin Edition 18.0.49 Update #2
Hi All, please take a look at the screenshot.

Any help? I'm new to plesk and a novice!

It looks like my server is being brute forced from Iran.

Thanks
 

Attachments

  • Screenshot 4.png
    Screenshot 4.png
    75.2 KB · Views: 11
Make sure that the Plesk firewall and fail2ban is installed and enabled. You can install them with the command:

Code:
plesk installer add --components psa-firewall fail2ban

See here for more information:
 
Thanks @danami for your response. So, firewall and fail2ban were set up and installed, however, dovecot jail wasn't enabled, and i also noticed the banning rules weren't strong enough, the attacker was alternating IP addresses on the 0/24 network to ensure they didn't fall foul of the default 600 / 600 settings in Fail2Ban. I increased these and limited max fails to 2 - and now, fail 2 ban has started adding IP addresses from the attacking network to jail - by the end of the day, i'll have them all (i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually? In any case, grateful for the response.
 
i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually?
I usually use grep "SASL LOGIN authentication failed" /var/log/mail.info |cut -f 5 -d ":"|sort|uniq -dc and null-route the more obnoxious ones with route add -net 194.55.224.0/24 lo if there are several in the same net or route add -host 195.133.40.157 lo for single hosts.
 
Back
Top