• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Brute Force Attack

O

othmaqsa

Regular Pleskian
Server operating system version
Ubuntu 20.04
Plesk version and microupdate number
Version 18.0.44
Hello,

I have noticed in recent days that several brute force attacks appear in the mail browser log.

Example:
2022-06-18 00:03:34 plesk_saslauthd[294590] failed mail authentication attempt for user 'finance' (password len=21)
2022-06-18 00:02:54 plesk_saslauthd[294460] failed mail authentication attempt for user 'info' (password len=5)
2022-06-17 23:39:24 plesk_saslauthd[289509] failed mail authentication attempt for user 'postmaster' (password len=5)
2022-06-17 23:15:30 plesk_saslauthd[284610] failed mail authentication attempt for user 'admin' (password len=5)
2022-06-17 23:10:54 plesk_saslauthd[283704] failed mail authentication attempt for user 'sales' (password len=7)

And many other lines that look like these lines..

Fail2ban is installed with the defaults settings.

Do you have any suggestions for me in addition to Fail2ban please?

Thank you in advance.
 
Hello Maartenv,

This IP address is visible on the mail log browser, but this IP address is still not added on fail2ban.
 
The plesk-postfix jail should block those IP addresses, as there should be extra lines in the maillog containing the attacker's IP address. The plesk-postfix jail should be triggered by "authentication failed":

Code: 
warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
 
Hello maartenv,

Thanks for your message.

I had made a second check in the log file and unfortunately I did not find this type of log that you mentioned.

However, a line in the log caught my attention. The line is: Please check jail has possibly a timezone issue. Line with odd timestamp: Jun 18

So, I solved the problem of Timezone and the IPs now begin to be added in fail2ban successfuly.
 
Hello maartenv,

Despite the 10 jails activated by default, I receive thousands of logs per day containing this type of message:

2022-06-26 20:13:24 postfix/smtpd[2194534] disconnect from unknown[141.98.10.203] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
2022-06-26 20:13:24 postfix/smtpd[2194534] warning: unknown[141.98.10.203]: SASL LOGIN authentication failed: authentication failure
2022-06-26 20:13:24 plesk_saslauthd[2194720] failed mail authentication attempt for user 'daniel' (password len=10)
2022-06-26 20:13:24 plesk_saslauthd[2194720] privileges set to (110:117) (effective 110:117)
2022-06-26 20:13:24 plesk_saslauthd[2194720] listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
2022-06-26 20:13:20 postfix/smtpd[2194534] connect from unknown[141.98.10.203]
2022-06-26 20:13:06 plesk_saslauthd[2194536] select timeout, exiting
2022-06-26 20:12:36 postfix/smtpd[2194534] disconnect from unknown[45.125.65.159] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
2022-06-26 20:12:36 postfix/smtpd[2194534] warning: unknown[45.125.65.159]: SASL LOGIN authentication failed: authentication failure
2022-06-26 20:12:36 plesk_saslauthd[2194536] failed mail authentication attempt for user 'daniel' (password len=8)
2022-06-26 20:12:36 plesk_saslauthd[2194536] privileges set to (110:117) (effective 110:117)
2022-06-26 20:12:36 plesk_saslauthd[2194536] listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
2022-06-26 20:12:33 postfix/smtpd[2194534] connect from unknown[45.125.65.159]

Is there another jail that needs to be created or settings that need to be adjusted in the jails already created so that this type of brute force decreases a little?

I also note that there have been ip blacklists but the reason is always "recidive"

Thank you in advance.
 

Attachments

  • Screenshot 2022-06-26 201707.png
    Screenshot 2022-06-26 201707.png
    30.7 KB · Views: 3
You can finetune the plesk-postfix jail settings, like:
- IP address ban period: 7200 seconds
- The maximum number of failed login attempts: 2

Also, take a look at the global fail2ban settings in the GUI (be careful with this, this affects all jails)
i.e:
Enable intrusion detection
- IP address ban period = 3600 seconds
- Time interval for detection of subsequent attacks = 3600
- Number of failures before the IP address is banned = 3

Some attackers adapt the speed of the attacks. We noticed that they initially started with five attacks per second, but in the end, they slowed down to 2 or 3 attacks per second. At that point, it's hard to ban the attackers without banning customers who entered a wrong password a couple of times.
 
Hello maartenv,

Thank you for your message.

I'm going to apply these settings now and see what happens.

Thank you again :)
 
Hello maartenv,

For the 1st setting:
- IP address ban period: 7200 seconds
- The maximum number of failed login attempts: 2

Can I replace 2 by 1 ? I want the ip to be blocked automatically after the 1st try. Is it possible?

Thank you!
 
You must log in or register to reply here.

Similar threads

G
Question plesk_saslauthd - Attack, no IP seen
Replies
8
Views
1K
learning_curve
learning_curve
X
Question How To Setup Outgoing Only Mail
Replies
1
Views
184
scsa20
scsa20
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
1K
Peter Debik
P
J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
907
josemanuuxd
J
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
1K
scpcomp
S
Back
Top