Vesta Control Panel - Forum

I have been going through my log files and I noticed that there are several repeat incorrect authentication data for the same IP addresses..

I think someones trying to get into my emails..

2018-02-07 23:35:05 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:38:42 dovecot_login authenticator failed for (User) [91.200.12.145]: 535 Incorrect authentication data (set_id=kirsten)
2018-02-07 23:38:47 dovecot_login authenticator failed for (User) [91.200.12.174]: 535 Incorrect authentication data (set_id=delia)
2018-02-07 23:38:53 dovecot_login authenticator failed for (User) [80.82.70.210]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:16:24 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:18:03 dovecot_login authenticator failed for (User) [91.200.12.9]: 535 Incorrect authentication data (set_id=hattie)
2018-02-07 23:11:41 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:13:48 dovecot_login authenticator failed for (User) [91.200.12.219]: 535 Incorrect authentication data (set_id=napoleon)
2018-02-07 03:51:47 dovecot_login authenticator failed for (User) [91.200.12.204]: 535 Incorrect authentication data (set_id=frankie)
2018-02-07 03:51:55 dovecot_login authenticator failed for (User) [91.200.12.203]: 535 Incorrect authentication data (set_id=eliza)
2018-02-07 03:52:00 dovecot_login authenticator failed for (User) [91.200.12.216]: 535 Incorrect authentication data (set_id=paypal)

There is more for the same day and about 1 million frozen messages..
I have added them to the banned IP list for all services.. :) took many hours to get them all in there..

you might want to tune your fail2ban for dovecot and ban IPs for a week. Your server is being hammered by some attacker bot

thanks will read up on google on how to do this..

Update - added maxretries and bantime to the jail.local
Modified the findtime variable to more likely katch them in jail.conf.


Hope this works.. :P

liamgibbins wrote: ↑

Wed Feb 07, 2018 11:13 pm

I have been going through my log files and I noticed that there are several repeat incorrect authentication data for the same IP addresses..
I think someones trying to get into my emails..

Bots... if you have strong passwords, you can but those or ignore. ^_^

liamgibbins wrote: ↑

Thu Feb 08, 2018 8:28 am

Update - added maxretries and bantime to the jail.local
Modified the findtime variable to more likely katch them in jail.conf.

I hope you restarted fail2ban after that... if not please do.

Sure did... thank you for your help... :P great community here so much better than the now seemingly dead sentora CP.. :)

just hope it works will check on monday and see whats been happening.. :P

Hi I this worked for me:

add the following to file /etc/fail2ban/jail.local then if there is any log files related to fail2ban I deleted it. logged into control panel with mydomain:8083 and restarted fail2ban from the server list after clicking Server in the right upper corner.

My list of frozen mails has grown longer and I see that in the mentioned log file there are banned and unbanned ip addresses.

My problem was that mails with attachments cant send or receive.

I only could make it work by checking and removing all frozen mails by manually using
.

Using the above solution feels like a better approach after one day already. I can send and receive mails with and without attachments. I think this pretty generic solution should be integrated in the next release as default.

Seems like a hacking attempt. I've seen a few of them.

I would recommend using fail2ban to block the IP on multiple failures. Verify the patterns as the default patterns don't always match. It handles multiple files and multiple services.