Issue SASL LOGIN authentication failed: authentication failure

[xemorytr]

Server operating system version

Ubuntu 22.04.2 LTS

Plesk version and microupdate number

Plesk Obsidian Version 18.0.52

Hello everyone,
Although fail2ban is active, it does not block.
I always get attacked like this.
Which way do you follow to solve this and what do you do.
Thanks for a solution.

2023-05-02 13:46:16	WARNING	postfix/smtpd [614764]	warning: unknown[46.148.40.155]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:45:55	WARNING	postfix/smtpd [614661]	warning: unknown[46.148.40.157]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:45:48	WARNING	postfix/smtpd [614764]	warning: unknown[46.148.40.150]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:44:35	WARNING	postfix/smtpd [614764]	warning: unknown[46.148.40.161]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:43:54	WARNING	postfix/smtpd [614661]	warning: unknown[46.148.40.164]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:43:34	WARNING	postfix/smtpd [614764]	warning: unknown[46.148.40.160]: SASL LOGIN authentication failed: authentication failure

 

[Peter Debik]

The sources of the attack are distributed over different IP address. For that reason the threshold for Fail2Ban for repeatedly wrong login attempts are not reached. You can try to reduce the threshold to 2 or to the extreme 1 so that an attacker will be blocked right after the first wrong login attempt, but even in that case the attacker can still try to login coming from a different IP.

 

[xemorytr]

The sources of the attack are distributed over different IP address. For that reason the threshold for Fail2Ban for repeatedly wrong login attempts are not reached. You can try to reduce the threshold to 2 or to the extreme 1 so that an attacker will be blocked right after the first wrong login attempt, but even in that case the attacker can still try to login coming from a different IP.

in this case 1.
but there are constant attacks from different ropes and it does not block.
Is there a solution to completely eliminate this?

 

[xemorytr]

Do you think this rule can prevent this?
It is not active now, do I need to activate it?

 

[Peter Debik]

If all the attacks are coming from the same network, such as it seems 46.148.40.* is one of them, you could block that whole subnet by an iptables rule and do the same with other frequently used network segments. But query first if these IPs are not belonging to a commonly used server farm (such as Google, Amazon etc.), because a general IP address block would also block legitimate traffic. You should in such a case also learn how to unblock IPs or subnets that you blocked before, it will be needed. You can try to create a Plesk Firewall rule for it or use iptables directly. As there are so many options, this here cannot be the place to explain iptables in depth, but there are lots of examples on the Internet how to use it.