• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue Brute Force Attack - Postfix - Mail

C

combatdad

New Pleskian
Server operating system version
Linux
Plesk version and microupdate number
Plesk Obsidian Web Admin Edition 18.0.49 Update #2
Hi All, please take a look at the screenshot.

Any help? I'm new to plesk and a novice!

It looks like my server is being brute forced from Iran.

Thanks
 

Attachments

  • Screenshot 4.png
    Screenshot 4.png
    75.2 KB · Views: 11
Make sure that the Plesk firewall and fail2ban is installed and enabled. You can install them with the command:

Code: 
plesk installer add --components psa-firewall fail2ban

See here for more information:
docs.plesk.com

Protection Against Brute Force Attacks (Fail2Ban)

IP address banning (Fail2Ban) is an automated way to protect your server from brute force attacks. Fail2Ban uses regu...
docs.plesk.com docs.plesk.com
 
Thanks @danami for your response. So, firewall and fail2ban were set up and installed, however, dovecot jail wasn't enabled, and i also noticed the banning rules weren't strong enough, the attacker was alternating IP addresses on the 0/24 network to ensure they didn't fall foul of the default 600 / 600 settings in Fail2Ban. I increased these and limited max fails to 2 - and now, fail 2 ban has started adding IP addresses from the attacking network to jail - by the end of the day, i'll have them all (i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually? In any case, grateful for the response.
 
combatdad said:
i think there is probably a way to ban the whole attacking network using ip tables, or adding to fail2ban manually?
Click to expand...
I usually use grep "SASL LOGIN authentication failed" /var/log/mail.info |cut -f 5 -d ":"|sort|uniq -dc and null-route the more obnoxious ones with route add -net 194.55.224.0/24 lo if there are several in the same net or route add -host 195.133.40.157 lo for single hosts.
 
You must log in or register to reply here.

Similar threads

Jürgen_T
Question Massive Brute-Force Attacks on Plesk Panel – Looking for Additional Protection Measures
Replies
15
Views
1K
Franky H
F
brother4
Question Why isn't xmlrpc.php monitored by the WordPress jail in Fail2Ban?
Replies
8
Views
2K
Maarten
M
T
Issue Stop Plesk Brute Force Attacks NOW: Cloudflare + Windows Server Fix
Replies
0
Views
181
TheHostingHeroes
T
DataPacket
Forwarded to devs Event 'cp_user_login_failed'
Replies
8
Views
681
CruzMark
C
andreios
Issue Fail2ban WordPress login detection doesn't work and fail2ban couldn't be configured trough Plesk
Replies
2
Views
913
andreios
andreios
Back
Top