• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question How to prevent of this mail attacks?

S

stefan-franz

Basic Pleskian
Hello,
what can i do, to block this attempts? On my Server only nextcloud runs - no mail service (only the messages from plesk to me about problems or updates should work)

Here are some lines of the sylog file - and it goes on and on.....

Dec 17 07:41:09 h2937523 plesk_saslauthd[6415]: privileges set to (107:113) (effective 107:113)
Dec 17 07:41:09 h2937523 plesk_saslauthd[6415]: failed mail authentication attempt for user 'elisa' (password len=9)
Dec 17 07:41:09 h2937523 postfix/smtpd[6398]: warning: unknown[2.56.57.170]: SASL LOGIN authentication failed: authentication failure
Dec 17 07:41:09 h2937523 postfix/smtpd[6398]: disconnect from unknown[2.56.57.170] ehlo=1 auth=0/1 quit=1 commands=2/3
Dec 17 07:41:39 h2937523 plesk_saslauthd[6415]: select timeout, exiting
Dec 17 07:42:33 h2937523 postfix/smtpd[6398]: connect from unknown[141.98.10.220]
Dec 17 07:42:34 h2937523 plesk_saslauthd[6421]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Dec 17 07:42:34 h2937523 plesk_saslauthd[6421]: privileges set to (107:113) (effective 107:113)
Dec 17 07:42:34 h2937523 plesk_saslauthd[6421]: failed mail authentication attempt for user 'test1' (password len=7)
Dec 17 07:42:34 h2937523 postfix/smtpd[6398]: warning: unknown[141.98.10.220]: SASL LOGIN authentication failed: authentication failure
Dec 17 07:42:34 h2937523 postfix/smtpd[6398]: disconnect from unknown[141.98.10.220] ehlo=1 auth=0/1 quit=1 commands=2/3
Dec 17 07:43:03 h2937523 plesk_saslauthd[6421]: select timeout, exiting
 
Should be mentioned if you use mail services o some domains, then use Fail2Ban (like mentioned above) and disable mail service for all domains which are not using it.
 
I have only a nextcloud runnung on my V-Server. Nothing else.
Can i block other things to make maximum sense for attacks? I think with pop3, smpt and imap rules i closed the e-mail access...am i right?
 

Attachments

  • Plesk Firewall Regeln.jpg
    Plesk Firewall Regeln.jpg
    137.4 KB · Views: 17
As I'm not very familiar with the plesk firewall, I can only speak in general.
SMTP, POP3 and IMAP are the ports for mail, correct. You should better block the ports given by @Monty above, as there may be some not connected to the service names.
I'm not really sure, but I think the 3rd line from bottom in your screenshot opens ALL ports on your system (blacklist principe). Due to security reasons, you better should block all connections and allow only the needed ones. But better another user here knows it in detail, maybe I'm wrong and the firewall there is set up correctly. So better wait if someone proves my thought, you can easily lock you out of your own system.
 
stefan-franz said:
I have only a nextcloud runnung on my V-Server. Nothing else.
Can i block other things to make maximum sense for attacks? I think with pop3, smpt and imap rules i closed the e-mail access...am i right?
Click to expand...

Yes that looks ok. You may want to close DHCP, PostgreSQL, Passwortänderungsdienst and Samba too, if you don't need those services.
 
You must log in or register to reply here.

Similar threads

A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
439
Peter Debik
P
Ankebut
Resolved PHP 8.1 Another FPM instance seems to already listen on [...] php-fpm.sock
2
Replies
26
Views
10K
Ankebut
Ankebut
S
Question Firewall blocking plesk_saslauthd failed mail authentication attempt for user 'info' (password len=9)
Replies
3
Views
2K
mow
M
B
Resolved no SASL authentication mechanisms
2
Replies
21
Views
5K
bork
B
O
Resolved Brute Force Attack
Replies
9
Views
2K
Maarten.
M
Back
Top