Resolved Brute Force Attack

[othmaqsa]

Server operating system version

Ubuntu 20.04

Plesk version and microupdate number

Version 18.0.44

Hello,

I have noticed in recent days that several brute force attacks appear in the mail browser log.

Example:
2022-06-18 00:03:34 plesk_saslauthd[294590] failed mail authentication attempt for user 'finance' (password len=21)
2022-06-18 00:02:54 plesk_saslauthd[294460] failed mail authentication attempt for user 'info' (password len=5)
2022-06-17 23:39:24 plesk_saslauthd[289509] failed mail authentication attempt for user 'postmaster' (password len=5)
2022-06-17 23:15:30 plesk_saslauthd[284610] failed mail authentication attempt for user 'admin' (password len=5)
2022-06-17 23:10:54 plesk_saslauthd[283704] failed mail authentication attempt for user 'sales' (password len=7)

And many other lines that look like these lines..

Fail2ban is installed with the defaults settings.

Do you have any suggestions for me in addition to Fail2ban please?

Thank you in advance.

 

[Maarten]

Are the IP addresses of the attackers visible in fail2ban.log ?

Also, have a look at this:

https://support.plesk.com/hc/en-us/articles/115002613513-Constant-failed-mail-authenticatication-entries-are-logged-in-mail-log-in-Plesk-server

 

[othmaqsa]

Hello Maartenv,

This IP address is visible on the mail log browser, but this IP address is still not added on fail2ban.

 

[Maarten]

The plesk-postfix jail should block those IP addresses, as there should be extra lines in the maillog containing the attacker's IP address. The plesk-postfix jail should be triggered by "authentication failed":

warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure

 

[othmaqsa]

Hello maartenv,

Thanks for your message.

I had made a second check in the log file and unfortunately I did not find this type of log that you mentioned.

However, a line in the log caught my attention. The line is: Please check jail has possibly a timezone issue. Line with odd timestamp: Jun 18

So, I solved the problem of Timezone and the IPs now begin to be added in fail2ban successfuly.

 

[othmaqsa]

Hello maartenv,

Despite the 10 jails activated by default, I receive thousands of logs per day containing this type of message:

2022-06-26 20:13:24 postfix/smtpd[2194534] disconnect from unknown[141.98.10.203] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
2022-06-26 20:13:24 postfix/smtpd[2194534] warning: unknown[141.98.10.203]: SASL LOGIN authentication failed: authentication failure
2022-06-26 20:13:24 plesk_saslauthd[2194720] failed mail authentication attempt for user 'daniel' (password len=10)
2022-06-26 20:13:24 plesk_saslauthd[2194720] privileges set to (110:117) (effective 110:117)
2022-06-26 20:13:24 plesk_saslauthd[2194720] listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
2022-06-26 20:13:20 postfix/smtpd[2194534] connect from unknown[141.98.10.203]
2022-06-26 20:13:06 plesk_saslauthd[2194536] select timeout, exiting
2022-06-26 20:12:36 postfix/smtpd[2194534] disconnect from unknown[45.125.65.159] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5
2022-06-26 20:12:36 postfix/smtpd[2194534] warning: unknown[45.125.65.159]: SASL LOGIN authentication failed: authentication failure
2022-06-26 20:12:36 plesk_saslauthd[2194536] failed mail authentication attempt for user 'daniel' (password len=8)
2022-06-26 20:12:36 plesk_saslauthd[2194536] privileges set to (110:117) (effective 110:117)
2022-06-26 20:12:36 plesk_saslauthd[2194536] listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
2022-06-26 20:12:33 postfix/smtpd[2194534] connect from unknown[45.125.65.159]

Is there another jail that needs to be created or settings that need to be adjusted in the jails already created so that this type of brute force decreases a little?

I also note that there have been ip blacklists but the reason is always "recidive"

Thank you in advance.

 

[Maarten]

You can finetune the plesk-postfix jail settings, like:
- IP address ban period: 7200 seconds
- The maximum number of failed login attempts: 2

Also, take a look at the global fail2ban settings in the GUI (be careful with this, this affects all jails)
i.e:
Enable intrusion detection
- IP address ban period = 3600 seconds
- Time interval for detection of subsequent attacks = 3600
- Number of failures before the IP address is banned = 3

Some attackers adapt the speed of the attacks. We noticed that they initially started with five attacks per second, but in the end, they slowed down to 2 or 3 attacks per second. At that point, it's hard to ban the attackers without banning customers who entered a wrong password a couple of times.

 

[othmaqsa]

Hello maartenv,

Thank you for your message.

I'm going to apply these settings now and see what happens.

Thank you again

 

[othmaqsa]

Hello maartenv,

For the 1st setting:
- IP address ban period: 7200 seconds
- The maximum number of failed login attempts: 2

Can I replace 2 by 1 ? I want the ip to be blocked automatically after the 1st try. Is it possible?

Thank you!

 

[Maarten]

Yes, that is possible.

 

[mar-ek]

Hi everyone!
To help protect against brute force attacks on email accounts, please consider voting for this feature to add IP address and non-existent mailbox management in Plesk. It could improve email security by blocking attempts more effectively.

Here’s the link: Add IP Address and "non-existent mailbox" to plesk_saslauthd Authentication Logs