Resolved How to ignore POP3/IMAP login attempts for a non existent domain in my server?

[ChrisMonder]

Hi all,

I have a kind of annoying problem, in the past, my main server IP belong to a very known domain website, they move their website/email server to a new IP range and I got their IP assigned (didn't know about this when I received them).

I have more than 500 daily attempts to login with a email user of that "domain" the one who is not longer hosted in my server/IP, and I guess they brute force uses the old relation between IP & domain to connect, so, every day, my server is handling this attempts, and LFD blocks the attacker IP for some time and I get the email each time this happens (I have configured that way for other reasons).

Does anyone knows how to at the start (or before) of the attempt ignore, block or something when the user trying to sign in, when the user is of that domain? Ex. [email protected] (domain.com is not in my server).

I appreciate any advise!

 

[ChrisMonder]

Anyone?

 

[Monty]

The only way I can think of: Collect all IP addresses that try to log in with those invalid accounts and permanently ban them in your firewall configuration.

 

[Bitpalast]

You could block the domain name in iptables either for all ports or a specific selection of ports, for example

# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.

 

[ChrisMonder]

You could block the domain name in iptables either for all ports or a specific selection of ports, for example

# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.

Thanks!!

 

[ChrisMonder]

You could block the domain name in iptables either for all ports or a specific selection of ports, for example

# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.

Just to say Thank You again! It worked! After years of this, you save me =)

 

[ChrisMonder]

You could block the domain name in iptables either for all ports or a specific selection of ports, for example

# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.

Hi again Peter, now they are trying with different usernames, but common ones, for example test@.. admin@.. we don't have any of these email addresses, it's possible to block instead the domain, the user "string"? I already tried changing the domain to the user strings, but they still can try.

Thanks in advance

 

[ChrisMonder]

You could block the domain name in iptables either for all ports or a specific selection of ports, for example

# iptables -I INPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 25,993,995,143,993,80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

(instead of the placeholder DOMAIN.TLD enter the domain that you want to block.)

The Example will block all common traffic, but you could reduce the ports to the mail ports as required.

Hello @Peter Debik your solution works for a X time, after some hours or days, then stop working and again I need to create the rule, I guess some CRON is deleting it from Iptables or something, I did the iptables-save command, but still deletes it after X time.

I´m using CSF and Juggernauth extension

Thanks in advance