Mailbox search attemps flood my logs

Franco · Feb 17, 2016

Hello,
on my VPS maillog I see all sorts of hacking attempts of the kind:

plesk_saslauthd[4978]: No such user '[email protected]' in mail authorization database
plesk_saslauthd[4978]: failed mail authenticatication attempt for user '[email protected]' (password len=11)

or it can be test@ or service@, etc.

I hardly run any mail service on my VPS and I don't want to be flooded with such attempts for nonexisting mailboxes and users. How can I stop or prevent them?
I run fail2ban with various jails including dovecot and others, or shall I intervene at the firewall level?
Any help, please?
Franco

IgorG · Feb 17, 2016

fail2ban is better solution, I think.

Franco · Feb 17, 2016

I have the plesk sasl jail alreay enabled with:
[postfix-sasl]
enabled = true
maxretry = 4

but no IP addresses currently banned on that. Or is it another kind of jail I should use?

trialotto · Feb 17, 2016

@Franco

If you go to "Jails > Manage Filters > postfix-sasl" and inspect the regexp, then you should be aware that your regexp "failed mail authenticatication attempt for user" will not match.

A little bit of adjustment would allow Fail2Ban to actually ban some IPs.

Regards....

Franco · Feb 17, 2016

Hi Trialotto, thanks a lot for that, hopefully I fixed it by now. And I realized a few other jails did not have an action in place...

trialotto · Feb 17, 2016

@Franco,

No problem, thanks for the thanks.

By the way, I am working on some improvements for Fail2Ban: one new jail (with a specific action), some new settings and some (much desired) added functionality.

Feel free to contribute, just start a conversation if you want to do that.

Anyway, remember me to keep you posted about the before mentioned improvements.

Regards....

Mailbox search attemps flood my logs

Franco

Regular Pleskian

IgorG

Plesk addicted!

Franco

Regular Pleskian

trialotto

Golden Pleskian

Franco

Regular Pleskian

trialotto

Golden Pleskian

Similar threads