Question How to ignore/block POP3/IMAP login attempts for a non existent domain in my server?

[ChrisMonder]

I post here again as Peter Debik marked my past post as Resolved, but is not.
I have a kind of annoying problem, in the past, my main server IP belong to a very known domain website, they move their website/email server to a new IP range and I got their IP assigned (didn't know about this when I received them).

I have more than 500 daily attempts to login with a email user of that "domain" the one who is not longer hosted in my server/IP, and I guess they brute force uses the old relation between IP & domain to connect, so, every day, my server is handling this attempts, and LFD blocks the attacker IP for some time and I get the email each time this happens (I have configured that way for other reasons).

Does anyone knows how to at the start (or before) of the attempt ignore, block or something when the user trying to sign in, when the user is of that domain? Ex. [email protected] (domain.com is not in my server).

Peter Debik suggested me to apply this rule to IPTABLES but, didn't work at all, I still have a lot of attempts:
# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

I appreciate any advise!

 

[eliamarsura]

Hi
Try to add the rule for f2b-plesk-postfix's chain.

iptables -I f2b-plesk-postfix 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

Remember to replace DOMAIN.TLD with the real domain name.


You could also see if the ip that attempt to login is always the same and DROP it with:

iptables -I INPUT -s IP_TO_DROP -j DROP

 

[ChrisMonder]

Hi
Try to add the rule for f2b-plesk-postfix's chain.

Remember to replace DOMAIN.TLD with the real domain name.


You could also see if the ip that attempt to login is always the same and DROP it with:

Thanks Eliamarsura, I don't use F2B, I use juggernauth firewall, so when I try to run your command, gives me this:
iptables: No chain/target/match by that name.

And if I change the -l for -a:
Bad argument `1'

He uses TONS, trust me tons of IP's, and "fresh" ones not listed in blacklists

 

[eliamarsura]

Hi ChrisMonder

ok, if you don't use fail2ban there is no fail2ban chains.
"Bad argument" could be caused from -a that must be -A (capital letter)

By the way, please try to see if there are other chains with the following command:

iptables -nL

My output for exaple is (I have deleted the rules):

:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination


Chain FORWARD (policy DROP)
target prot opt source destination


Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (1 references)
target prot opt source destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination


Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination

Chain DOCKER-USER (1 references)
target prot opt source destination

Chain f2b-plesk-postfix (1 references)
target prot opt source destination

Chain f2b-plesk-proftpd (1 references)
target prot opt source destination

 

[ChrisMonder]

Yes, they are plenty of other rules including the one Peter Debik suggested.

I tried at first with the A in uppercase. But I got that, the Bad argument '1'

Thanks