We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Lots of frozen messages
-
- Posts: 28
- Joined: Thu Jan 04, 2018 5:33 pm
- Os: CentOS 6x
- Web: apache + nginx
Lots of frozen messages
I have been going through my log files and I noticed that there are several repeat incorrect authentication data for the same IP addresses..
I think someones trying to get into my emails..
2018-02-07 23:35:05 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:38:42 dovecot_login authenticator failed for (User) [91.200.12.145]: 535 Incorrect authentication data (set_id=kirsten)
2018-02-07 23:38:47 dovecot_login authenticator failed for (User) [91.200.12.174]: 535 Incorrect authentication data (set_id=delia)
2018-02-07 23:38:53 dovecot_login authenticator failed for (User) [80.82.70.210]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:16:24 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:18:03 dovecot_login authenticator failed for (User) [91.200.12.9]: 535 Incorrect authentication data (set_id=hattie)
2018-02-07 23:11:41 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:13:48 dovecot_login authenticator failed for (User) [91.200.12.219]: 535 Incorrect authentication data (set_id=napoleon)
2018-02-07 03:51:47 dovecot_login authenticator failed for (User) [91.200.12.204]: 535 Incorrect authentication data (set_id=frankie)
2018-02-07 03:51:55 dovecot_login authenticator failed for (User) [91.200.12.203]: 535 Incorrect authentication data (set_id=eliza)
2018-02-07 03:52:00 dovecot_login authenticator failed for (User) [91.200.12.216]: 535 Incorrect authentication data (set_id=paypal)
There is more for the same day and about 1 million frozen messages..
I have added them to the banned IP list for all services.. :) took many hours to get them all in there..
I think someones trying to get into my emails..
2018-02-07 23:35:05 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:38:42 dovecot_login authenticator failed for (User) [91.200.12.145]: 535 Incorrect authentication data (set_id=kirsten)
2018-02-07 23:38:47 dovecot_login authenticator failed for (User) [91.200.12.174]: 535 Incorrect authentication data (set_id=delia)
2018-02-07 23:38:53 dovecot_login authenticator failed for (User) [80.82.70.210]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:16:24 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:18:03 dovecot_login authenticator failed for (User) [91.200.12.9]: 535 Incorrect authentication data (set_id=hattie)
2018-02-07 23:11:41 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:13:48 dovecot_login authenticator failed for (User) [91.200.12.219]: 535 Incorrect authentication data (set_id=napoleon)
2018-02-07 03:51:47 dovecot_login authenticator failed for (User) [91.200.12.204]: 535 Incorrect authentication data (set_id=frankie)
2018-02-07 03:51:55 dovecot_login authenticator failed for (User) [91.200.12.203]: 535 Incorrect authentication data (set_id=eliza)
2018-02-07 03:52:00 dovecot_login authenticator failed for (User) [91.200.12.216]: 535 Incorrect authentication data (set_id=paypal)
There is more for the same day and about 1 million frozen messages..
I have added them to the banned IP list for all services.. :) took many hours to get them all in there..
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Lots of frozen messages
you might want to tune your fail2ban for dovecot and ban IPs for a week. Your server is being hammered by some attacker bot
-
- Posts: 28
- Joined: Thu Jan 04, 2018 5:33 pm
- Os: CentOS 6x
- Web: apache + nginx
Re: Lots of frozen messages
thanks will read up on google on how to do this..
Update - added maxretries and bantime to the jail.local
Modified the findtime variable to more likely katch them in jail.conf.
Hope this works.. :P
Update - added maxretries and bantime to the jail.local
Modified the findtime variable to more likely katch them in jail.conf.
Hope this works.. :P
Re: Lots of frozen messages
Bots... if you have strong passwords, you can but those or ignore. ^_^liamgibbins wrote: ↑Wed Feb 07, 2018 11:13 pmI have been going through my log files and I noticed that there are several repeat incorrect authentication data for the same IP addresses..
I think someones trying to get into my emails..
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Lots of frozen messages
I hope you restarted fail2ban after that... if not please do.liamgibbins wrote: ↑Thu Feb 08, 2018 8:28 amUpdate - added maxretries and bantime to the jail.local
Modified the findtime variable to more likely katch them in jail.conf.
-
- Posts: 28
- Joined: Thu Jan 04, 2018 5:33 pm
- Os: CentOS 6x
- Web: apache + nginx
Re: Lots of frozen messages
Sure did... thank you for your help... :P great community here so much better than the now seemingly dead sentora CP.. :)
just hope it works will check on monday and see whats been happening.. :P
just hope it works will check on monday and see whats been happening.. :P
-
- Posts: 5
- Joined: Fri Jan 11, 2019 5:55 pm
- Os: Debian 7x
- Web: apache + nginx
Re: Lots of frozen messages
Hi I this worked for me:
add the following to file /etc/fail2ban/jail.local
then if there is any log files related to fail2ban I deleted it. logged into control panel with mydomain:8083 and restarted fail2ban from the server list after clicking Server in the right upper corner.
My list of frozen mails has grown longer and I see that in the mentioned log file there are banned and unbanned ip addresses.
My problem was that mails with attachments cant send or receive.
I only could make it work by checking and removing all frozen mails by manually using
.
Using the above solution feels like a better approach after one day already. I can send and receive mails with and without attachments. I think this pretty generic solution should be integrated in the next release as default.
add the following to file /etc/fail2ban/jail.local
Code: Select all
[recidives]
enabled = true
logpath = /var/log/fail2ban.log
port = all
protocol = all
maxentry = 5
bantime = 604800 ; 1 week
findtime = 86400; 1 day
My list of frozen mails has grown longer and I see that in the mentioned log file there are banned and unbanned ip addresses.
My problem was that mails with attachments cant send or receive.
I only could make it work by checking and removing all frozen mails by manually using
Code: Select all
exim -bp
Code: Select all
exim -bp | exiqgrep -i | xargs exim -Mrm
Using the above solution feels like a better approach after one day already. I can send and receive mails with and without attachments. I think this pretty generic solution should be integrated in the next release as default.
Re: Lots of frozen messages
Seems like a hacking attempt. I've seen a few of them.
I would recommend using fail2ban to block the IP on multiple failures. Verify the patterns as the default patterns don't always match. It handles multiple files and multiple services.
I would recommend using fail2ban to block the IP on multiple failures. Verify the patterns as the default patterns don't always match. It handles multiple files and multiple services.