Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
checkmailpasswd: FAILED
- Thread starter GravuTrad
- Start date
http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-administrator-guide/59430.htm
Read carefully about option "Use of short and full names is allowed"
Read carefully about option "Use of short and full names is allowed"
This is just a standard brute-force attack - an attempt to guess usernames and passwords.
The IP addresses are not really IPv6. They are ipv4 formatted as ipv6 and this is just the way the application displays things in the logs.
If you see this sort of things from many different IPs, it is likely to be a botnet-based attack. There's nothing much you can do about this as the number of IPs will be high and be different from day to day. If you look at the IPs in question, you may find they are mostly coming from a particular geographic area. For example the majority of attacks of this nature that we see are currently mostly coming from South America. Since we have no customers in that area, and our customers do not do business with that part of the world, we could use geoblocking to block the majority of the countries involved. Other areas with high proportions of compromised systems are China, Eastern Europe, Turkey, South Korea.
But since the particular attack is using the wrong type of username (shortnames) there's nothing to worry about as it means that a login will never succeed.
The attack type is likely to change, however. So for peace of mind, I strongly recommend that you select a strong password policy for all your users. And if your passwords are not stored in encrypted form (default in Plesk 11), I also strongly recommend you look through the current passwords to make sure nobody is using a stupid password (short, obvious, common, dictionary word etc etc etc).
Strong passwords are effectively "impossible" to guess using an attack like this. OK, not impossible, but very difficult. The bad guys would have to try constantly for months on end. And they are looking for easy targets, mostly, so it is unlikely they will try that hard.
There are also a number of security tools that can help you. A number of scripts include the ability to detect multiple failed logins from the same IP over a period of time, and automatically block them (e.g. fail2ban). There are also commercial scripts and security systems that are worth looking into (e.g. ASL) that can do this and much more.
The IP addresses are not really IPv6. They are ipv4 formatted as ipv6 and this is just the way the application displays things in the logs.
If you see this sort of things from many different IPs, it is likely to be a botnet-based attack. There's nothing much you can do about this as the number of IPs will be high and be different from day to day. If you look at the IPs in question, you may find they are mostly coming from a particular geographic area. For example the majority of attacks of this nature that we see are currently mostly coming from South America. Since we have no customers in that area, and our customers do not do business with that part of the world, we could use geoblocking to block the majority of the countries involved. Other areas with high proportions of compromised systems are China, Eastern Europe, Turkey, South Korea.
But since the particular attack is using the wrong type of username (shortnames) there's nothing to worry about as it means that a login will never succeed.
The attack type is likely to change, however. So for peace of mind, I strongly recommend that you select a strong password policy for all your users. And if your passwords are not stored in encrypted form (default in Plesk 11), I also strongly recommend you look through the current passwords to make sure nobody is using a stupid password (short, obvious, common, dictionary word etc etc etc).
Strong passwords are effectively "impossible" to guess using an attack like this. OK, not impossible, but very difficult. The bad guys would have to try constantly for months on end. And they are looking for easy targets, mostly, so it is unlikely they will try that hard.
There are also a number of security tools that can help you. A number of scripts include the ability to detect multiple failed logins from the same IP over a period of time, and automatically block them (e.g. fail2ban). There are also commercial scripts and security systems that are worth looking into (e.g. ASL) that can do this and much more.
Similar threads
