• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Trends & Patterns in E-mail Attacks

E

Eric Pretorious

Regular Pleskian
In the proces of writing a daemon to monitor and respond to failed login attempts, I noticed this pattern repeated numerous times every day:
  1. Five simultaneous connections - never any more, never any less:
    Code: 
    Sep  9 04:00:34 www postfix/smtpd[444]: connect from 592329.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[446]: connect from host-94-158-158-194.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[447]: connect from host-94-158-158-194.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[449]: connect from 592329.soborka.net[94.158.158.194]
Sep  9 04:00:34 www postfix/smtpd[450]: connect from 592329.soborka.net[94.158.158.194]
  2. Followed by five simultaneous authentication failures:
    Code: 
    Sep  9 04:00:34 www postfix/smtpd[444]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[446]: warning: host-94-158-158-194.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[447]: warning: host-94-158-158-194.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[449]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
...
Sep  9 04:00:34 www postfix/smtpd[450]: warning: 592329.soborka.net[94.158.158.194]: SASL LOGIN authentication failed: authentication failure
Has anyone else been noticing the same pattern?
 
Last edited:
Most standard configurations for "fail2ban", or other log - scanning tools for malicious signs, count to "5" attempts, before the possible intruder / hacker / bot / script / or what ever.. is banned over iptables, firewall rules or other ways to stop the attempts. Most of the scripts/bots aren't aware of being blocked and still continue their attempts, even that the desired ip/network is unreachable for it, That's why the script kiddies changed some scripts/bots to a maximum of 5 attempts per hour/day/week; which isn't really a new information, when you read several security discussion boards. For that reason you should investigate your logs from time to time, so you can adjust your configurations to the actual conditions. ^^
 
UFHH01 said:
Most standard configurations for "fail2ban", or other log - scanning tools for malicious signs, count to "5" attempts, before the possible intruder / hacker / bot / script / or what ever.. is banned over iptables, firewall rules or other ways to stop the attempts. Most of the scripts/bots aren't aware of being blocked and still continue their attempts, even that the desired ip/network is unreachable for it, That's why the script kiddies changed some scripts/bots to a maximum of 5 attempts per hour/day/week; which isn't really a new information, when you read several security discussion boards. For that reason you should investigate your logs from time to time, so you can adjust your configurations to the actual conditions. ^^
Click to expand...

Thanks, UFHH01!
 
You must log in or register to reply here.

Similar threads

A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
452
Peter Debik
P
X
Issue SASL LOGIN authentication failed: authentication failure
Replies
4
Views
2K
Peter Debik
P
Ankebut
Resolved PHP 8.1 Another FPM instance seems to already listen on [...] php-fpm.sock
2
Replies
26
Views
10K
Ankebut
Ankebut
S
Question Firewall blocking plesk_saslauthd failed mail authentication attempt for user 'info' (password len=9)
Replies
3
Views
2K
mow
M
S
Question How to prevent of this mail attacks?
Replies
5
Views
2K
Monty
Monty
Back
Top