• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved How to ignore POP3/IMAP login attempts for a non existent domain in my server?

ChrisMonder

ChrisMonder

Basic Pleskian
Hi all,

I have a kind of annoying problem, in the past, my main server IP belong to a very known domain website, they move their website/email server to a new IP range and I got their IP assigned (didn't know about this when I received them).

I have more than 500 daily attempts to login with a email user of that "domain" the one who is not longer hosted in my server/IP, and I guess they brute force uses the old relation between IP & domain to connect, so, every day, my server is handling this attempts, and LFD blocks the attacker IP for some time and I get the email each time this happens (I have configured that way for other reasons).

Does anyone knows how to at the start (or before) of the attempt ignore, block or something when the user trying to sign in, when the user is of that domain? Ex. [email protected] (domain.com is not in my server).

I appreciate any advise!
 
The only way I can think of: Collect all IP addresses that try to log in with those invalid accounts and permanently ban them in your firewall configuration.
 
You could block the domain name in iptables either for all ports or a specific selection of ports, for example
Code: 
# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.
 
Peter Debik said:
You could block the domain name in iptables either for all ports or a specific selection of ports, for example
Code: 
# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.
Click to expand...

Thanks!!
 
Peter Debik said:
You could block the domain name in iptables either for all ports or a specific selection of ports, for example
Code: 
# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.
Click to expand...
Just to say Thank You again! It worked! After years of this, you save me =)
 
Peter Debik said:
You could block the domain name in iptables either for all ports or a specific selection of ports, for example
Code: 
# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.
Click to expand...

Hi again Peter, now they are trying with different usernames, but common ones, for example test@.. admin@.. we don't have any of these email addresses, it's possible to block instead the domain, the user "string"? I already tried changing the domain to the user strings, but they still can try.

Thanks in advance
 
Peter Debik said:
You could block the domain name in iptables either for all ports or a specific selection of ports, for example
Code: 
# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset
(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.
Click to expand...

Hello @Peter Debik your solution works for a X time, after some hours or days, then stop working and again I need to create the rule, I guess some CRON is deleting it from Iptables or something, I did the iptables-save command, but still deletes it after X time.

I´m using CSF and Juggernauth extension

Thanks in advance
 
You must log in or register to reply here.

Similar threads

F
Question How to disable/restrict by IP <server-ip>/login_up.php ?
Replies
4
Views
1K
W4ru
W
T
Issue Unbanning some IP addresses causes the server to be unresponsive
Replies
4
Views
317
TurabG
T
ChrisMonder
Question How to ignore/block POP3/IMAP login attempts for a non existent domain in my server?
Replies
4
Views
3K
ChrisMonder
ChrisMonder
carlsson
Issue Really strange problem – I can't use my SMTP server intermittently
Replies
2
Views
723
carlsson
carlsson
Tim Clarke
Issue Problems with recidive jail
Replies
3
Views
569
La Linea
L
Back
Top