• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Question How to prevent of this mail attacks?

S

stefan-franz

Basic Pleskian
Hello,
what can i do, to block this attempts? On my Server only nextcloud runs - no mail service (only the messages from plesk to me about problems or updates should work)

Here are some lines of the sylog file - and it goes on and on.....

Dec 17 07:41:09 h2937523 plesk_saslauthd[6415]: privileges set to (107:113) (effective 107:113)
Dec 17 07:41:09 h2937523 plesk_saslauthd[6415]: failed mail authentication attempt for user 'elisa' (password len=9)
Dec 17 07:41:09 h2937523 postfix/smtpd[6398]: warning: unknown[2.56.57.170]: SASL LOGIN authentication failed: authentication failure
Dec 17 07:41:09 h2937523 postfix/smtpd[6398]: disconnect from unknown[2.56.57.170] ehlo=1 auth=0/1 quit=1 commands=2/3
Dec 17 07:41:39 h2937523 plesk_saslauthd[6415]: select timeout, exiting
Dec 17 07:42:33 h2937523 postfix/smtpd[6398]: connect from unknown[141.98.10.220]
Dec 17 07:42:34 h2937523 plesk_saslauthd[6421]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Dec 17 07:42:34 h2937523 plesk_saslauthd[6421]: privileges set to (107:113) (effective 107:113)
Dec 17 07:42:34 h2937523 plesk_saslauthd[6421]: failed mail authentication attempt for user 'test1' (password len=7)
Dec 17 07:42:34 h2937523 postfix/smtpd[6398]: warning: unknown[141.98.10.220]: SASL LOGIN authentication failed: authentication failure
Dec 17 07:42:34 h2937523 postfix/smtpd[6398]: disconnect from unknown[141.98.10.220] ehlo=1 auth=0/1 quit=1 commands=2/3
Dec 17 07:43:03 h2937523 plesk_saslauthd[6421]: select timeout, exiting
 
Should be mentioned if you use mail services o some domains, then use Fail2Ban (like mentioned above) and disable mail service for all domains which are not using it.
 
I have only a nextcloud runnung on my V-Server. Nothing else.
Can i block other things to make maximum sense for attacks? I think with pop3, smpt and imap rules i closed the e-mail access...am i right?
 

Attachments

  • Plesk Firewall Regeln.jpg
    Plesk Firewall Regeln.jpg
    137.4 KB · Views: 17
As I'm not very familiar with the plesk firewall, I can only speak in general.
SMTP, POP3 and IMAP are the ports for mail, correct. You should better block the ports given by @Monty above, as there may be some not connected to the service names.
I'm not really sure, but I think the 3rd line from bottom in your screenshot opens ALL ports on your system (blacklist principe). Due to security reasons, you better should block all connections and allow only the needed ones. But better another user here knows it in detail, maybe I'm wrong and the firewall there is set up correctly. So better wait if someone proves my thought, you can easily lock you out of your own system.
 
stefan-franz said:
I have only a nextcloud runnung on my V-Server. Nothing else.
Can i block other things to make maximum sense for attacks? I think with pop3, smpt and imap rules i closed the e-mail access...am i right?
Click to expand...

Yes that looks ok. You may want to close DHCP, PostgreSQL, Passwortänderungsdienst and Samba too, if you don't need those services.
 
You must log in or register to reply here.

Similar threads

A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
522
Peter Debik
P
Ankebut
Resolved PHP 8.1 Another FPM instance seems to already listen on [...] php-fpm.sock
2
Replies
26
Views
10K
Ankebut
Ankebut
S
Question Firewall blocking plesk_saslauthd failed mail authentication attempt for user 'info' (password len=9)
Replies
3
Views
2K
mow
M
B
Resolved no SASL authentication mechanisms
2
Replies
21
Views
5K
bork
B
O
Resolved Brute Force Attack
Replies
9
Views
2K
Maarten.
M
Back
Top