Page 1 of 2

Brute force on email

Posted: Tue May 07, 2019 11:38 pm
by pipoy
Hi,

Is anyone here also experiencing a brute force attack with your emails?

I actually noticed this months before as I see 139.28.174.155 in the fail2ban list under MAIL.

The weird part is that it exists to every vestacp's I have. So I think this is not an isolated attack.

You also may want to check out your /var/log/exim/main.log
I have new and under development domains that is part of the logs. I mean, it is impossible that they made aware of the domain and just randomly bruteforce an email under that domain.

Re: Brute force on email

Posted: Wed May 08, 2019 2:56 am
by ricardopxl
I have the equal problem right now, from 4 hour ago!

Spamassassin and clamd use all cpu. Can you solve this problem?

Re: Brute force on email

Posted: Wed May 08, 2019 9:40 am
by pipoy
ricardopxl wrote:
Wed May 08, 2019 2:56 am
I have the equal problem right now, from 4 hour ago!

If the IP address was automatically banned by fail2ban, it will be deleted after a few minutes.
So what I did is I just manually added this IP address, 139.28.174.0/24, so he is permanently banned.


But it begs the question, why are we getting this

ricardopxl wrote:
Wed May 08, 2019 2:56 am

Spamassassin and clamd use all cpu. Can you solve this problem?
Not sure if that is related.

Re: Brute force on email

Posted: Mon Nov 09, 2020 9:09 pm
I have also been receiving a brute force attack on my Exim/Dovecote installation in my VestaCP. Is there anything I can do about this apart from blocking that IP range?

2020-11-09 11:09:16 dovecot_login authenticator failed for (localhost) [45.142.120.137]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:10:02 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:11:14 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:12:26 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:13:41 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:14:51 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:16:01 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:17:16 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:17:46 dovecot_login authenticator failed for (User) [45.125.65.39]: 535 Incorrect authentication data (set_id=wood)

Re: Brute force on email

Posted: Tue Nov 24, 2020 3:24 am
by cooldevserge
I also experiencing this one.. someone is trying to access or Bruteforce my mail server.

Re: Brute force on email

Posted: Sat Apr 10, 2021 12:09 am
by americanninja
You guys find a solution to this?

It's an everyday occurrence for me. And it negatively impacts the performance of my websites. At this point, I'm thinking to just pay google to host my email and close down the email server completely. I forward all email from my server to my gmail accounts anyway.

Or is there a way to just block all remote access/attempts to login to the email server and only allow Google's IP addresses. The only thing that connects to send outbound email from my server is gmail/google. So I wonder if this would be a better option for me. If I could just shutdown any access from outside (except for Google), I think this might be the best solution, right?

Re: Brute force on email

Posted: Mon Apr 12, 2021 1:49 pm
by hestiauser
VestaCP is vastly outdated and exploited with no security patches or updates for a long time now.

I suggest you to use HestiaCP, fork of VestaCP that is also open-source just updated, with new features and not dead as VestaCP.

I don't know why is VestaCP still up and in options to install with some hosting providers, because it shouldn't be.

HestiaCP is fork of VestaCP and you can check it out on https://hestiacp.com and join Discord for quick support or post on forum.

Most of Hestia developers are from original VestaCP team, so give them a credit and try HestiaCP, donate if you like it and support them.

Best reguards,
Nikola.

Re: Brute force on email

Posted: Mon Apr 12, 2021 4:19 pm
by americanninja
Thanks Nikola! I guess this will be next weekend’s project.

Re: Brute force on email

Posted: Fri Jun 11, 2021 11:15 am
by carolynperry
this is really good, thank you for sharing with us vidmate app mobdro apk

Re: Brute force on email

Posted: Tue Feb 08, 2022 7:36 am
by clementishutin
Is there a way to simply ban all remote access/attempts to logon to the email server, allowing only Google's IP addresses to do so?