• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Brute Force Attack

O

othmaqsa

Regular Pleskian
Server operating system version
Ubuntu 20.04
Plesk version and microupdate number
Version 18.0.44
Hello,

I have noticed in recent days that several brute force attacks appear in the mail browser log.

Example:
2022-06-18 00:03:34 plesk_saslauthd[294590] failed mail authentication attempt for user 'finance' (password len=21)
2022-06-18 00:02:54 plesk_saslauthd[294460] failed mail authentication attempt for user 'info' (password len=5)
2022-06-17 23:39:24 plesk_saslauthd[289509] failed mail authentication attempt for user 'postmaster' (password len=5)
2022-06-17 23:15:30 plesk_saslauthd[284610] failed mail authentication attempt for user 'admin' (password len=5)
2022-06-17 23:10:54 plesk_saslauthd[283704] failed mail authentication attempt for user 'sales' (password len=7)

And many other lines that look like these lines..

Fail2ban is installed with the defaults settings.

Do you have any suggestions for me in addition to Fail2ban please?

Thank you in advance.
 
Hello Maartenv,

This IP address is visible on the mail log browser, but this IP address is still not added on fail2ban.
 
The plesk-postfix jail should block those IP addresses, as there should be extra lines in the maillog containing the attacker's IP address. The plesk-postfix jail should be triggered by "authentication failed":

Code: 
warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
 
Hello maartenv,

Thanks for your message.

I had made a second check in the log file and unfortunately I did not find this type of log that you mentioned.

However, a line in the log caught my attention. The line is: Please check jail has possibly a timezone issue. Line with odd timestamp: Jun 18

So, I solved the problem of Timezone and the IPs now begin to be added in fail2ban successfuly.
 
Hello maartenv,

Despite the 10 jails activated by default, I receive thousands of logs per day containing this type of message:

2022-06-26 20:13:24 postfix/smtpd[2194534] disconnect from unknown[141.98.10.203] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
2022-06-26 20:13:24 postfix/smtpd[2194534] warning: unknown[141.98.10.203]: SASL LOGIN authentication failed: authentication failure
2022-06-26 20:13:24 plesk_saslauthd[2194720] failed mail authentication attempt for user 'daniel' (password len=10)
2022-06-26 20:13:24 plesk_saslauthd[2194720] privileges set to (110:117) (effective 110:117)
2022-06-26 20:13:24 plesk_saslauthd[2194720] listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
2022-06-26 20:13:20 postfix/smtpd[2194534] connect from unknown[141.98.10.203]
2022-06-26 20:13:06 plesk_saslauthd[2194536] select timeout, exiting
2022-06-26 20:12:36 postfix/smtpd[2194534] disconnect from unknown[45.125.65.159] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
2022-06-26 20:12:36 postfix/smtpd[2194534] warning: unknown[45.125.65.159]: SASL LOGIN authentication failed: authentication failure
2022-06-26 20:12:36 plesk_saslauthd[2194536] failed mail authentication attempt for user 'daniel' (password len=8)
2022-06-26 20:12:36 plesk_saslauthd[2194536] privileges set to (110:117) (effective 110:117)
2022-06-26 20:12:36 plesk_saslauthd[2194536] listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
2022-06-26 20:12:33 postfix/smtpd[2194534] connect from unknown[45.125.65.159]

Is there another jail that needs to be created or settings that need to be adjusted in the jails already created so that this type of brute force decreases a little?

I also note that there have been ip blacklists but the reason is always "recidive"

Thank you in advance.
 

Attachments

  • Screenshot 2022-06-26 201707.png
    Screenshot 2022-06-26 201707.png
    30.7 KB · Views: 3
You can finetune the plesk-postfix jail settings, like:
- IP address ban period: 7200 seconds
- The maximum number of failed login attempts: 2

Also, take a look at the global fail2ban settings in the GUI (be careful with this, this affects all jails)
i.e:
Enable intrusion detection
- IP address ban period = 3600 seconds
- Time interval for detection of subsequent attacks = 3600
- Number of failures before the IP address is banned = 3

Some attackers adapt the speed of the attacks. We noticed that they initially started with five attacks per second, but in the end, they slowed down to 2 or 3 attacks per second. At that point, it's hard to ban the attackers without banning customers who entered a wrong password a couple of times.
 
Hello maartenv,

Thank you for your message.

I'm going to apply these settings now and see what happens.

Thank you again :)
 
Hello maartenv,

For the 1st setting:
- IP address ban period: 7200 seconds
- The maximum number of failed login attempts: 2

Can I replace 2 by 1 ? I want the ip to be blocked automatically after the 1st try. Is it possible?

Thank you!
 
You must log in or register to reply here.

Similar threads

G
Question plesk_saslauthd - Attack, no IP seen
Replies
6
Views
283
PAM Baduijn
PAM Baduijn
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
422
Peter Debik
P
S
Question Firewall blocking plesk_saslauthd failed mail authentication attempt for user 'info' (password len=9)
Replies
3
Views
2K
mow
M
Ankebut
Resolved PHP 8.1 Another FPM instance seems to already listen on [...] php-fpm.sock
2
Replies
26
Views
10K
Ankebut
Ankebut
R
Issue some install & repair failed
Replies
0
Views
424
revK
R
Back
Top