• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

someone try to hack IMAP

N

Nami_Abdelmoula

New Pleskian
Hello
when i check my server with this command

netstat -tn 2>/dev/null | grep :143 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

I get this:
16 204.93.188.100
1 41.xx.xx.xx.xx(my ip)


So i take look on mail outgoing i found this

statistics: max connection rate 1/60s for (smtp:194.63.142.101) at Apr 11 09:28:44
Apr 11 09:32:05 myserver postfix/anvil[13245]: statistics: max connection count 1 for (smtp:194.63.142.101) at Apr 11 09:28:44
Apr 11 09:32:05 vmyserver postfix/anvil[13245]: statistics: max cache size 1 at Apr 11 09:28:44


and this

connection from localhost [127.0.0.1] at port 42887
Apr 11 09:00:02 vps10039-cloud spamd[9334]: spamd: using default config for user@mydomain: /var/qmail/mailnames/plc-c.com/kamal/.spamassassin/user_pr efs
Apr 11 09:00:02 vps10039-cloud spamd[9334]: spamd: processing message <[email protected]> for user@mydomain:30
Apr 11 09:00:07 vps10039-cloud spamd[9334]: spamd: clean message (0.8/7.0) for user@mydomain:30 in 5.1 seconds, 1164 bytes.
Apr 11 09:00:07 vps10039-cloud spamd[9334]: spamd: result: . 0 - DKIM_ADSP_NXDOMAIN,NO_RELAYS scantime=5.1,size=1164,user=[email protected],uid=30,requir ed_score=7.0,rhost=localhost,raddr=127.0.0.1,rport=42887,mid=<[email protected]>,autolearn=no
Apr 11 09:00:07 vps10039-cloud spamd[9329]: prefork: child states: II
Apr 11 09:00:07 vps10039-cloud postfix/pipe[11789]: 13CD9108E23: to=<user@mydomain>, orig_to=<root>, relay=plesk_virtual, delay=5.4, delays=0/0.03/0/ 5.4, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Apr 11 09:00:07 vps10039-cloud postfix/qmgr[23080]: 13CD9108E23: removed
Apr 11 09:00:10 vps10039-cloud courier-pop3s: Connection, ip=[::ffff:92.99.167.210]
Apr 11 09:00:11 vps10039-cloud courier-pop3s: LOGIN, user=user@mydomain, ip=[::ffff:92.99.167.210], port=[50945]
Apr 11 09:00:23 vps10039-cloud courier-pop3s: LOGOUT, user=user@mydomain, ip=[::ffff:92.99.167.210], port=[50945], top=0, retr=1400, rcvd=34, sent=20 330, time=12, stls=1


Any advise please
 
Hi Nami_Abdelmoula,

204.93.188.100 <= spammer on a cloud server, using IMAP - ports. Please install and configure the Plesk extension "Fail2Ban" to identify such intruders pretty quick and automatically ban them with iptables ( as well done by Fail2Ban ... If you don't know Fail2Ban, it could help to inform yourself:



194.63.142.101 <= tries to guess usernames and passwords over SASL over a botnet.... same as before... please install Fail2Ban to get rid off such kiddies.

92.99.167.210 <= "comment spammer" - a bot, or botnet, looking for CMS and forums, where it could post spam - comments... Again... please install Fail2Ban.


Please make sure, not to be an open relay server and check your mail - server - configuration for security wholes.
 
Hi UFHH01
Thank you very much for your help i tried to switch on fail2ban bu et i get this error

rror: Unable to switch on the jail: f2bmng failed: ERROR No file(s) found for glob /var/log/mail.log
ERROR Failed during configuration: Have not found any log file for dovecot jail
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload']' returned non-zero exit status 255
ERROR:f2bmng:Failed to reload following jails due to errors in configuration

Any advice please
 
Hi Nami_Abdelmoula,

please have a closer look on the configuration files... if you do not have a "mail.log" at "/var/log/", you will notice, that there is another log - file, but named as "maillog" ( without any "." as extension ). Please correct this in the depending jail.

If you don't use dovecot, but instead "courier-imap", there is no need to activate the dovecot - jail.

Please check as well, that you whitelist your server IP(s) in the configuration, to avoid failures. The documentation describes how to do that.


After your corrections, please start Fail2Ban again and report possible issues.
 
thank you very much first of all i had a issue with my plesk license so i resolve it then i did enable fail2ban and jails

nom i can see who tries to lake brute force but i need to now how add ip to blacklist of fail2ban cause what ever i do a rule to block it with firewall on all port it doesnt wok the spammer keep gessing password or users of my mails

Thank you
 
You must log in or register to reply here.

Similar threads

Bitpalast
Forwarded to devs Spamassassin ignores mails to mailboxes that contain an ampersand, e.g. d&[email protected]
Replies
9
Views
2K
Bitpalast
Bitpalast
carini
Issue Using Scaleway S3 for Plesk backups
Replies
1
Views
683
Maarten
M
H
Question MariaDB doesn't start after upgrade
Replies
3
Views
1K
Kaspar@Plesk
Kaspar@Plesk
T
Question Fail2ban trying to setup a rule to ban ai bots
Replies
4
Views
3K
Bitpalast
Bitpalast
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
3K
NewGate
N
Back
Top