• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

someone try to hack IMAP

N

Nami_Abdelmoula

New Pleskian
Hello
when i check my server with this command

netstat -tn 2>/dev/null | grep :143 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

I get this:
16 204.93.188.100
1 41.xx.xx.xx.xx(my ip)


So i take look on mail outgoing i found this

statistics: max connection rate 1/60s for (smtp:194.63.142.101) at Apr 11 09:28:44
Apr 11 09:32:05 myserver postfix/anvil[13245]: statistics: max connection count 1 for (smtp:194.63.142.101) at Apr 11 09:28:44
Apr 11 09:32:05 vmyserver postfix/anvil[13245]: statistics: max cache size 1 at Apr 11 09:28:44


and this

connection from localhost [127.0.0.1] at port 42887
Apr 11 09:00:02 vps10039-cloud spamd[9334]: spamd: using default config for user@mydomain: /var/qmail/mailnames/plc-c.com/kamal/.spamassassin/user_pr efs
Apr 11 09:00:02 vps10039-cloud spamd[9334]: spamd: processing message <[email protected]> for user@mydomain:30
Apr 11 09:00:07 vps10039-cloud spamd[9334]: spamd: clean message (0.8/7.0) for user@mydomain:30 in 5.1 seconds, 1164 bytes.
Apr 11 09:00:07 vps10039-cloud spamd[9334]: spamd: result: . 0 - DKIM_ADSP_NXDOMAIN,NO_RELAYS scantime=5.1,size=1164,user=[email protected],uid=30,requir ed_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=42887,mid=<[email protected]>,autolearn=no
Apr 11 09:00:07 vps10039-cloud spamd[9329]: prefork: child states: II
Apr 11 09:00:07 vps10039-cloud postfix/pipe[11789]: 13CD9108E23: to=<user@mydomain>, orig_to=<root>, relay=plesk_virtual, delay=5.4, delays=0/0.03/0/ 5.4, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Apr 11 09:00:07 vps10039-cloud postfix/qmgr[23080]: 13CD9108E23: removed
Apr 11 09:00:10 vps10039-cloud courier-pop3s: Connection, ip=[::ffff:92.99.167.210]
Apr 11 09:00:11 vps10039-cloud courier-pop3s: LOGIN, user=user@mydomain, ip=[::ffff:92.99.167.210], port=[50945]
Apr 11 09:00:23 vps10039-cloud courier-pop3s: LOGOUT, user=user@mydomain, ip=[::ffff:92.99.167.210], port=[50945], top=0, retr=1400, rcvd=34, sent=20 330, time=12, stls=1


Any advise please
 
Hi Nami_Abdelmoula,

204.93.188.100 <= spammer on a cloud server, using IMAP - ports. Please install and configure the Plesk extension "Fail2Ban" to identify such intruders pretty quick and automatically ban them with iptables ( as well done by Fail2Ban ... If you don't know Fail2Ban, it could help to inform yourself:



194.63.142.101 <= tries to guess usernames and passwords over SASL over a botnet.... same as before... please install Fail2Ban to get rid off such kiddies.

92.99.167.210 <= "comment spammer" - a bot, or botnet, looking for CMS and forums, where it could post spam - comments... Again... please install Fail2Ban.


Please make sure, not to be an open relay server and check your mail - server - configuration for security wholes.
 
Hi UFHH01
Thank you very much for your help i tried to switch on fail2ban bu et i get this error

rror: Unable to switch on the jail: f2bmng failed: ERROR No file(s) found for glob /var/log/mail.log
ERROR Failed during configuration: Have not found any log file for dovecot jail
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload']' returned non-zero exit status 255
ERROR:f2bmng:Failed to reload following jails due to errors in configuration

Any advice please
 
Hi Nami_Abdelmoula,

please have a closer look on the configuration files... if you do not have a "mail.log" at "/var/log/", you will notice, that there is another log - file, but named as "maillog" ( without any "." as extension ). Please correct this in the depending jail.

If you don't use dovecot, but instead "courier-imap", there is no need to activate the dovecot - jail.

Please check as well, that you whitelist your server IP(s) in the configuration, to avoid failures. The documentation describes how to do that.


After your corrections, please start Fail2Ban again and report possible issues.
 
thank you very much first of all i had a issue with my plesk license so i resolve it then i did enable fail2ban and jails

nom i can see who tries to lake brute force but i need to now how add ip to blacklist of fail2ban cause what ever i do a rule to block it with firewall on all port it doesnt wok the spammer keep gessing password or users of my mails

Thank you
 
You must log in or register to reply here.

Similar threads

A
Resolved I cant send or recieve emails in through PLESK Postfix - lightsail
Replies
2
Views
2K
alexk345
A
J
Issue PHPMailer - X-PPP-Vhost header is changed to subscription-domain and causes DMARC reject
Replies
1
Views
5K
japjay
J
I
Issue Emails can not receive
Replies
2
Views
1K
cientiros
C
F
Issue Pretty bad problem: Server starts successfully and starts all services but stops them again.
Replies
1
Views
2K
Fuchur
F
K
Issue I need some help with my emails
Replies
1
Views
1K
IgorG
IgorG
Back
Top