Brute force on email
Brute force on email
Hi,
Is anyone here also experiencing a brute force attack with your emails?
I actually noticed this months before as I see 139.28.174.155 in the fail2ban list under MAIL.
The weird part is that it exists to every vestacp's I have. So I think this is not an isolated attack.
You also may want to check out your /var/log/exim/main.log
I have new and under development domains that is part of the logs. I mean, it is impossible that they made aware of the domain and just randomly bruteforce an email under that domain.
Is anyone here also experiencing a brute force attack with your emails?
I actually noticed this months before as I see 139.28.174.155 in the fail2ban list under MAIL.
The weird part is that it exists to every vestacp's I have. So I think this is not an isolated attack.
You also may want to check out your /var/log/exim/main.log
I have new and under development domains that is part of the logs. I mean, it is impossible that they made aware of the domain and just randomly bruteforce an email under that domain.
-
- Posts: 3
- Joined: Wed Apr 04, 2018 11:59 am
- Os: CentOS 7x
- Web: apache + nginx
Re: Brute force on email
I have the equal problem right now, from 4 hour ago!
Spamassassin and clamd use all cpu. Can you solve this problem?
Spamassassin and clamd use all cpu. Can you solve this problem?
Re: Brute force on email
If the IP address was automatically banned by fail2ban, it will be deleted after a few minutes.
So what I did is I just manually added this IP address, 139.28.174.0/24, so he is permanently banned.
But it begs the question, why are we getting this
Not sure if that is related.ricardopxl wrote: ↑Wed May 08, 2019 2:56 am
Spamassassin and clamd use all cpu. Can you solve this problem?
-
- Posts: 1
- Joined: Mon Nov 09, 2020 8:59 pm
- Os: Ubuntu 17x
- Web: apache + nginx
Re: Brute force on email
I have also been receiving a brute force attack on my Exim/Dovecote installation in my VestaCP. Is there anything I can do about this apart from blocking that IP range?
2020-11-09 11:09:16 dovecot_login authenticator failed for (localhost) [45.142.120.137]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:10:02 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:11:14 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:12:26 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:13:41 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:14:51 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:16:01 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:17:16 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:17:46 dovecot_login authenticator failed for (User) [45.125.65.39]: 535 Incorrect authentication data (set_id=wood)
2020-11-09 11:09:16 dovecot_login authenticator failed for (localhost) [45.142.120.137]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:10:02 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:11:14 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:12:26 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:13:41 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:14:51 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:16:01 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:17:16 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:17:46 dovecot_login authenticator failed for (User) [45.125.65.39]: 535 Incorrect authentication data (set_id=wood)
-
- Posts: 3
- Joined: Thu Oct 08, 2020 2:16 am
- Os: Ubuntu 15x
- Web: apache + nginx
Re: Brute force on email
I also experiencing this one.. someone is trying to access or Bruteforce my mail server.
-
- Posts: 11
- Joined: Mon Feb 01, 2021 7:38 am
- Os: Ubuntu 17x
- Web: apache + nginx
Re: Brute force on email
You guys find a solution to this?
It's an everyday occurrence for me. And it negatively impacts the performance of my websites. At this point, I'm thinking to just pay google to host my email and close down the email server completely. I forward all email from my server to my gmail accounts anyway.
Or is there a way to just block all remote access/attempts to login to the email server and only allow Google's IP addresses. The only thing that connects to send outbound email from my server is gmail/google. So I wonder if this would be a better option for me. If I could just shutdown any access from outside (except for Google), I think this might be the best solution, right?
It's an everyday occurrence for me. And it negatively impacts the performance of my websites. At this point, I'm thinking to just pay google to host my email and close down the email server completely. I forward all email from my server to my gmail accounts anyway.
Or is there a way to just block all remote access/attempts to login to the email server and only allow Google's IP addresses. The only thing that connects to send outbound email from my server is gmail/google. So I wonder if this would be a better option for me. If I could just shutdown any access from outside (except for Google), I think this might be the best solution, right?
-
- Posts: 5
- Joined: Mon Apr 12, 2021 1:41 pm
- Os: Debian 8x
- Web: apache + nginx
Re: Brute force on email
VestaCP is vastly outdated and exploited with no security patches or updates for a long time now.
I suggest you to use HestiaCP, fork of VestaCP that is also open-source just updated, with new features and not dead as VestaCP.
I don't know why is VestaCP still up and in options to install with some hosting providers, because it shouldn't be.
HestiaCP is fork of VestaCP and you can check it out on https://hestiacp.com and join Discord for quick support or post on forum.
Most of Hestia developers are from original VestaCP team, so give them a credit and try HestiaCP, donate if you like it and support them.
Best reguards,
Nikola.
I suggest you to use HestiaCP, fork of VestaCP that is also open-source just updated, with new features and not dead as VestaCP.
I don't know why is VestaCP still up and in options to install with some hosting providers, because it shouldn't be.
HestiaCP is fork of VestaCP and you can check it out on https://hestiacp.com and join Discord for quick support or post on forum.
Most of Hestia developers are from original VestaCP team, so give them a credit and try HestiaCP, donate if you like it and support them.
Best reguards,
Nikola.
-
- Posts: 11
- Joined: Mon Feb 01, 2021 7:38 am
- Os: Ubuntu 17x
- Web: apache + nginx
Re: Brute force on email
Thanks Nikola! I guess this will be next weekend’s project.
-
- Posts: 1
- Joined: Fri Jun 11, 2021 11:05 am
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Brute force on email
this is really good, thank you for sharing with us vidmate app mobdro apk
-
- Posts: 24
- Joined: Thu Dec 30, 2021 10:04 am
- Os: CentOS 7x
- Web: apache
Re: Brute force on email
Is there a way to simply ban all remote access/attempts to logon to the email server, allowing only Google's IP addresses to do so?