Facebook
Twitter-
Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
-
The BIND DNS server has already been deprecated and removed from Plesk for Windows.
If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release. -
The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
checkmailpasswd: FAILED
- Thread starter GravuTrad
- Start date
http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-administrator-guide/59430.htm
Read carefully about option "Use of short and full names is allowed"
Read carefully about option "Use of short and full names is allowed"
This is just a standard brute-force attack - an attempt to guess usernames and passwords.
The IP addresses are not really IPv6. They are ipv4 formatted as ipv6 and this is just the way the application displays things in the logs.
If you see this sort of things from many different IPs, it is likely to be a botnet-based attack. There's nothing much you can do about this as the number of IPs will be high and be different from day to day. If you look at the IPs in question, you may find they are mostly coming from a particular geographic area. For example the majority of attacks of this nature that we see are currently mostly coming from South America. Since we have no customers in that area, and our customers do not do business with that part of the world, we could use geoblocking to block the majority of the countries involved. Other areas with high proportions of compromised systems are China, Eastern Europe, Turkey, South Korea.
But since the particular attack is using the wrong type of username (shortnames) there's nothing to worry about as it means that a login will never succeed.
The attack type is likely to change, however. So for peace of mind, I strongly recommend that you select a strong password policy for all your users. And if your passwords are not stored in encrypted form (default in Plesk 11), I also strongly recommend you look through the current passwords to make sure nobody is using a stupid password (short, obvious, common, dictionary word etc etc etc).
Strong passwords are effectively "impossible" to guess using an attack like this. OK, not impossible, but very difficult. The bad guys would have to try constantly for months on end. And they are looking for easy targets, mostly, so it is unlikely they will try that hard.
There are also a number of security tools that can help you. A number of scripts include the ability to detect multiple failed logins from the same IP over a period of time, and automatically block them (e.g. fail2ban). There are also commercial scripts and security systems that are worth looking into (e.g. ASL) that can do this and much more.
The IP addresses are not really IPv6. They are ipv4 formatted as ipv6 and this is just the way the application displays things in the logs.
If you see this sort of things from many different IPs, it is likely to be a botnet-based attack. There's nothing much you can do about this as the number of IPs will be high and be different from day to day. If you look at the IPs in question, you may find they are mostly coming from a particular geographic area. For example the majority of attacks of this nature that we see are currently mostly coming from South America. Since we have no customers in that area, and our customers do not do business with that part of the world, we could use geoblocking to block the majority of the countries involved. Other areas with high proportions of compromised systems are China, Eastern Europe, Turkey, South Korea.
But since the particular attack is using the wrong type of username (shortnames) there's nothing to worry about as it means that a login will never succeed.
The attack type is likely to change, however. So for peace of mind, I strongly recommend that you select a strong password policy for all your users. And if your passwords are not stored in encrypted form (default in Plesk 11), I also strongly recommend you look through the current passwords to make sure nobody is using a stupid password (short, obvious, common, dictionary word etc etc etc).
Strong passwords are effectively "impossible" to guess using an attack like this. OK, not impossible, but very difficult. The bad guys would have to try constantly for months on end. And they are looking for easy targets, mostly, so it is unlikely they will try that hard.
There are also a number of security tools that can help you. A number of scripts include the ability to detect multiple failed logins from the same IP over a period of time, and automatically block them (e.g. fail2ban). There are also commercial scripts and security systems that are worth looking into (e.g. ASL) that can do this and much more.
