• Dear Pleskians! The Plesk Forum will be undergoing scheduled maintenance on Monday, 7th of July, at 9:00 AM UTC. The expected maintenance window is 2 hours.
    Thank you in advance for your patience and understanding on the matter.

Mailbox search attemps flood my logs

Franco

Regular Pleskian
Hello,
on my VPS maillog I see all sorts of hacking attempts of the kind:

plesk_saslauthd[4978]: No such user '[email protected]' in mail authorization database
plesk_saslauthd[4978]: failed mail authenticatication attempt for user '[email protected]' (password len=11)

or it can be test@ or service@, etc.

I hardly run any mail service on my VPS and I don't want to be flooded with such attempts for nonexisting mailboxes and users. How can I stop or prevent them?
I run fail2ban with various jails including dovecot and others, or shall I intervene at the firewall level?
Any help, please?
Franco
 
I have the plesk sasl jail alreay enabled with:
[postfix-sasl]
enabled = true
maxretry = 4

but no IP addresses currently banned on that. Or is it another kind of jail I should use?
 
@Franco

If you go to "Jails > Manage Filters > postfix-sasl" and inspect the regexp, then you should be aware that your regexp "failed mail authenticatication attempt for user" will not match.

A little bit of adjustment would allow Fail2Ban to actually ban some IPs.

Regards....
 
Hi Trialotto, thanks a lot for that, hopefully I fixed it by now. And I realized a few other jails did not have an action in place...
 
@Franco,

No problem, thanks for the thanks.

By the way, I am working on some improvements for Fail2Ban: one new jail (with a specific action), some new settings and some (much desired) added functionality.

Feel free to contribute, just start a conversation if you want to do that.

Anyway, remember me to keep you posted about the before mentioned improvements.

Regards....
 
Back
Top