Facebook
Twitter
ChrisMonder
Basic Pleskian
I post here again as Peter Debik marked my past post as Resolved, but is not.
I have a kind of annoying problem, in the past, my main server IP belong to a very known domain website, they move their website/email server to a new IP range and I got their IP assigned (didn't know about this when I received them).
I have more than 500 daily attempts to login with a email user of that "domain" the one who is not longer hosted in my server/IP, and I guess they brute force uses the old relation between IP & domain to connect, so, every day, my server is handling this attempts, and LFD blocks the attacker IP for some time and I get the email each time this happens (I have configured that way for other reasons).
Does anyone knows how to at the start (or before) of the attempt ignore, block or something when the user trying to sign in, when the user is of that domain? Ex. [email protected] (domain.com is not in my server).
Peter Debik suggested me to apply this rule to IPTABLES but, didn't work at all, I still have a lot of attempts:
# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
I appreciate any advise!
I have a kind of annoying problem, in the past, my main server IP belong to a very known domain website, they move their website/email server to a new IP range and I got their IP assigned (didn't know about this when I received them).
I have more than 500 daily attempts to login with a email user of that "domain" the one who is not longer hosted in my server/IP, and I guess they brute force uses the old relation between IP & domain to connect, so, every day, my server is handling this attempts, and LFD blocks the attacker IP for some time and I get the email each time this happens (I have configured that way for other reasons).
Does anyone knows how to at the start (or before) of the attempt ignore, block or something when the user trying to sign in, when the user is of that domain? Ex. [email protected] (domain.com is not in my server).
Peter Debik suggested me to apply this rule to IPTABLES but, didn't work at all, I still have a lot of attempts:
# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
I appreciate any advise!
