Question How to prevent of this mail attacks?

[stefan-franz]

Hello,
what can i do, to block this attempts? On my Server only nextcloud runs - no mail service (only the messages from plesk to me about problems or updates should work)

Here are some lines of the sylog file - and it goes on and on.....

Dec 17 07:41:09 h2937523 plesk_saslauthd[6415]: privileges set to (107:113) (effective 107:113)
Dec 17 07:41:09 h2937523 plesk_saslauthd[6415]: failed mail authentication attempt for user 'elisa' (password len=9)
Dec 17 07:41:09 h2937523 postfix/smtpd[6398]: warning: unknown[2.56.57.170]: SASL LOGIN authentication failed: authentication failure
Dec 17 07:41:09 h2937523 postfix/smtpd[6398]: disconnect from unknown[2.56.57.170] ehlo=1 auth=0/1 quit=1 commands=2/3
Dec 17 07:41:39 h2937523 plesk_saslauthd[6415]: select timeout, exiting
Dec 17 07:42:33 h2937523 postfix/smtpd[6398]: connect from unknown[141.98.10.220]
Dec 17 07:42:34 h2937523 plesk_saslauthd[6421]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Dec 17 07:42:34 h2937523 plesk_saslauthd[6421]: privileges set to (107:113) (effective 107:113)
Dec 17 07:42:34 h2937523 plesk_saslauthd[6421]: failed mail authentication attempt for user 'test1' (password len=7)
Dec 17 07:42:34 h2937523 postfix/smtpd[6398]: warning: unknown[141.98.10.220]: SASL LOGIN authentication failed: authentication failure
Dec 17 07:42:34 h2937523 postfix/smtpd[6398]: disconnect from unknown[141.98.10.220] ehlo=1 auth=0/1 quit=1 commands=2/3
Dec 17 07:43:03 h2937523 plesk_saslauthd[6421]: select timeout, exiting

 

[Monty]

You can use Fail2ban: Protection Against Brute Force Attacks (Fail2Ban)

If you don't have any mail services running on your server then simply block access to ports 25,110,143,465,587,993 and 995 on your firewall.

 

[Fabian H]

Should be mentioned if you use mail services o some domains, then use Fail2Ban (like mentioned above) and disable mail service for all domains which are not using it.

 

[stefan-franz]

I have only a nextcloud runnung on my V-Server. Nothing else.
Can i block other things to make maximum sense for attacks? I think with pop3, smpt and imap rules i closed the e-mail access...am i right?

 

[Fabian H]

As I'm not very familiar with the plesk firewall, I can only speak in general.
SMTP, POP3 and IMAP are the ports for mail, correct. You should better block the ports given by @Monty above, as there may be some not connected to the service names.
I'm not really sure, but I think the 3rd line from bottom in your screenshot opens ALL ports on your system (blacklist principe). Due to security reasons, you better should block all connections and allow only the needed ones. But better another user here knows it in detail, maybe I'm wrong and the firewall there is set up correctly. So better wait if someone proves my thought, you can easily lock you out of your own system.

 

[Monty]

I have only a nextcloud runnung on my V-Server. Nothing else.
Can i block other things to make maximum sense for attacks? I think with pop3, smpt and imap rules i closed the e-mail access...am i right?

Yes that looks ok. You may want to close DHCP, PostgreSQL, Passwortänderungsdienst and Samba too, if you don't need those services.