Issue I am under SMTP attack

[Jimlee3]

I checked my maillog today and saw a lot of SASL LOGIN authentication failed: authentication failure messages. It appears that I am under SMTP brute force attack. Fail2ban is enabled yet same person tried to login many times. Any ideas how to avoid this?

 

[UFHH01]

Hi Jimlee3,

Fail2ban is enabled yet same person tried to login many times. Any ideas how to avoid this?

if you experience issues by non-blocking fail2ban intruders, consider posting the fail2ban - log and it's corresponding fail2ban - configurations ( jails ) for mail - filters and actions. Be ware that you might set up the allowed attempts to a lower level and consider using an additional "recidive" - jail, to ban repeat offenders for a longer time.

 

[Jimlee3]

Hi Jimlee3,


if you experience issues by non-blocking fail2ban intruders, consider posting the fail2ban - log and it's corresponding fail2ban - configurations ( jails ) for mail - filters and actions. Be ware that you might set up the allowed attempts to a lower level and consider using an additional "recidive" - jail, to ban repeat offenders for a longer time.

The problem is that the IP is changing every single time, I have enabled plesk-postfix and reduced login attempted to 1 and increased the time but still under attack
is there anyway I can disable SMTP remote access so people are enable to connect to SMTP remotely?

 

[UFHH01]

Hi Jimlee3,

is there anyway I can disable SMTP remote access so people are enable to connect to SMTP remotely?

You could find the answer to your question in your very own thread: => https://talk.plesk.com/threads/is-there-an-smtp-restrictions-in-plesk.340332/


To check, whether a Fail2Ban jail will fit ( and ban existent scripts/bots/intruders ) your current configuration, you could use for example the ssh - command ( logged in as user "root" ):

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf --print-all-matched