• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue I am under SMTP attack

J

Jimlee3

Basic Pleskian
I checked my maillog today and saw a lot of SASL LOGIN authentication failed: authentication failure messages. It appears that I am under SMTP brute force attack. Fail2ban is enabled yet same person tried to login many times. Any ideas how to avoid this?
 
Hi Jimlee3,

Jimlee3 said:
Fail2ban is enabled yet same person tried to login many times. Any ideas how to avoid this?
Click to expand...
if you experience issues by non-blocking fail2ban intruders, consider posting the fail2ban - log and it's corresponding fail2ban - configurations ( jails ) for mail - filters and actions. Be ware that you might set up the allowed attempts to a lower level and consider using an additional "recidive" - jail, to ban repeat offenders for a longer time.
 
UFHH01 said:
Hi Jimlee3,


if you experience issues by non-blocking fail2ban intruders, consider posting the fail2ban - log and it's corresponding fail2ban - configurations ( jails ) for mail - filters and actions. Be ware that you might set up the allowed attempts to a lower level and consider using an additional "recidive" - jail, to ban repeat offenders for a longer time.
Click to expand...

The problem is that the IP is changing every single time, I have enabled plesk-postfix and reduced login attempted to 1 and increased the time but still under attack
is there anyway I can disable SMTP remote access so people are enable to connect to SMTP remotely?
 
Hi Jimlee3,

Jimlee3 said:
is there anyway I can disable SMTP remote access so people are enable to connect to SMTP remotely?
Click to expand...
You could find the answer to your question in your very own thread: => https://talk.plesk.com/threads/is-there-an-smtp-restrictions-in-plesk.340332/


To check, whether a Fail2Ban jail will fit ( and ban existent scripts/bots/intruders ) your current configuration, you could use for example the ssh - command ( logged in as user "root" ):

Code: 
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf --print-all-matched
 
You must log in or register to reply here.

Similar threads

wakabayashi
Question SMTP Firewall - is it possible to block brutforce attacks?
Replies
3
Views
635
Vladimir C.
V
Jürgen_T
Question Massive Brute-Force Attacks on Plesk Panel – Looking for Additional Protection Measures
Replies
15
Views
2K
Franky H
F
wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
2K
mizar
mizar
Azurel
Issue Monitoring shows "An unexpected error occurred"
Replies
6
Views
8K
Azurel
Azurel
T
Resolved SECURITY - attack surface : ports 7080 and 7081
2
Replies
30
Views
22K
2dareis2do
2
Back
Top