• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue SASL LOGIN authentication failed: authentication failure

X

xemorytr

Basic Pleskian
Server operating system version
Ubuntu 22.04.2 LTS
Plesk version and microupdate number
Plesk Obsidian Version 18.0.52
Hello everyone,
Although fail2ban is active, it does not block.
I always get attacked like this.
Which way do you follow to solve this and what do you do.
Thanks for a solution.

2023-05-02 13:46:16WARNINGpostfix/smtpd [614764]warning: unknown[46.148.40.155]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:45:55WARNINGpostfix/smtpd [614661]warning: unknown[46.148.40.157]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:45:48WARNINGpostfix/smtpd [614764]warning: unknown[46.148.40.150]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:44:35WARNINGpostfix/smtpd [614764]warning: unknown[46.148.40.161]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:43:54WARNINGpostfix/smtpd [614661]warning: unknown[46.148.40.164]: SASL LOGIN authentication failed: authentication failure
2023-05-02 13:43:34WARNINGpostfix/smtpd [614764]warning: unknown[46.148.40.160]: SASL LOGIN authentication failed: authentication failure
 

Attachments

  • indir (1).png
    indir (1).png
    140.7 KB · Views: 15
  • indir (2).png
    indir (2).png
    149.6 KB · Views: 14
  • indir.png
    indir.png
    129.5 KB · Views: 14
The sources of the attack are distributed over different IP address. For that reason the threshold for Fail2Ban for repeatedly wrong login attempts are not reached. You can try to reduce the threshold to 2 or to the extreme 1 so that an attacker will be blocked right after the first wrong login attempt, but even in that case the attacker can still try to login coming from a different IP.
 
Peter Debik said:
The sources of the attack are distributed over different IP address. For that reason the threshold for Fail2Ban for repeatedly wrong login attempts are not reached. You can try to reduce the threshold to 2 or to the extreme 1 so that an attacker will be blocked right after the first wrong login attempt, but even in that case the attacker can still try to login coming from a different IP.
Click to expand...
in this case 1.
but there are constant attacks from different ropes and it does not block.
Is there a solution to completely eliminate this?
 
Do you think this rule can prevent this?
It is not active now, do I need to activate it?
 

Attachments

  • Screenshot_1.png
    Screenshot_1.png
    14.2 KB · Views: 15
If all the attacks are coming from the same network, such as it seems 46.148.40.* is one of them, you could block that whole subnet by an iptables rule and do the same with other frequently used network segments. But query first if these IPs are not belonging to a commonly used server farm (such as Google, Amazon etc.), because a general IP address block would also block legitimate traffic. You should in such a case also learn how to unblock IPs or subnets that you blocked before, it will be needed. You can try to create a Plesk Firewall rule for it or use iptables directly. As there are so many options, this here cannot be the place to explain iptables in depth, but there are lots of examples on the Internet how to use it.
 
You must log in or register to reply here.

Similar threads

wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
2K
mizar
mizar
N
Issue Problem: SASL PLAIN authentication failed
Replies
3
Views
752
Vladimir C.
V
wakabayashi
Question SMTP Firewall - is it possible to block brutforce attacks?
Replies
3
Views
635
Vladimir C.
V
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
2K
Peter Debik
P
B
Resolved no SASL authentication mechanisms
2
Replies
22
Views
12K
Mark12345
Mark12345
Back
Top