• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

checkmailpasswd: FAILED

GravuTrad

Regular Pleskian
Hi to all.

Feb 27 16:37:35 ks38509 pop3d: LOGOUT, ip=[::ffff:176.61.143.28]
Feb 27 16:37:36 ks38509 pop3d: Connection, ip=[::ffff:176.61.143.28]
Feb 27 16:37:39 ks38509 pop3d: IMAP connect from @ [::ffff:176.61.143.28]checkmailpasswd: FAILED: angela - short names not allowed from @ [::ffff:176.61.143.28]ERR: LOGIN FAILED, ip=[::ffff:176.61.143.28]
Feb 27 16:37:39 ks38509 pop3d: LOGOUT, ip=[::ffff:176.61.143.28]
Feb 27 16:37:40 ks38509 pop3d: Connection, ip=[::ffff:176.61.143.28]
Feb 27 16:37:42 ks38509 pop3d: IMAP connect from @ [::ffff:176.61.143.28]checkmailpasswd: FAILED: angelica - short names not allowed from @ [::ffff:176.61.143.28]ERR: LOGIN FAILED, ip=[::ffff:176.61.143.28]

How to block these kind of ipv6 attacks with plesk please?

Thanks.
 
It's already configured like this. But this ip and this names are not from my server (so an attack). I blacklisted it in my firewall but i would stop the style of the attack...
 
This is just a standard brute-force attack - an attempt to guess usernames and passwords.

The IP addresses are not really IPv6. They are ipv4 formatted as ipv6 and this is just the way the application displays things in the logs.

If you see this sort of things from many different IPs, it is likely to be a botnet-based attack. There's nothing much you can do about this as the number of IPs will be high and be different from day to day. If you look at the IPs in question, you may find they are mostly coming from a particular geographic area. For example the majority of attacks of this nature that we see are currently mostly coming from South America. Since we have no customers in that area, and our customers do not do business with that part of the world, we could use geoblocking to block the majority of the countries involved. Other areas with high proportions of compromised systems are China, Eastern Europe, Turkey, South Korea.

But since the particular attack is using the wrong type of username (shortnames) there's nothing to worry about as it means that a login will never succeed.

The attack type is likely to change, however. So for peace of mind, I strongly recommend that you select a strong password policy for all your users. And if your passwords are not stored in encrypted form (default in Plesk 11), I also strongly recommend you look through the current passwords to make sure nobody is using a stupid password (short, obvious, common, dictionary word etc etc etc).

Strong passwords are effectively "impossible" to guess using an attack like this. OK, not impossible, but very difficult. The bad guys would have to try constantly for months on end. And they are looking for easy targets, mostly, so it is unlikely they will try that hard.

There are also a number of security tools that can help you. A number of scripts include the ability to detect multiple failed logins from the same IP over a period of time, and automatically block them (e.g. fail2ban). There are also commercial scripts and security systems that are worth looking into (e.g. ASL) that can do this and much more.
 
Back
Top