Lots of frozen messages
-
liamgibbins
- Posts: 28
- Joined: Thu Jan 04, 2018 5:33 pm
- Os: CentOS 6x
- Web: apache + nginx
Lots of frozen messages
I have been going through my log files and I noticed that there are several repeat incorrect authentication data for the same IP addresses..
I think someones trying to get into my emails..
2018-02-07 23:35:05 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:38:42 dovecot_login authenticator failed for (User) [91.200.12.145]: 535 Incorrect authentication data (set_id=kirsten)
2018-02-07 23:38:47 dovecot_login authenticator failed for (User) [91.200.12.174]: 535 Incorrect authentication data (set_id=delia)
2018-02-07 23:38:53 dovecot_login authenticator failed for (User) [80.82.70.210]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:16:24 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:18:03 dovecot_login authenticator failed for (User) [91.200.12.9]: 535 Incorrect authentication data (set_id=hattie)
2018-02-07 23:11:41 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:13:48 dovecot_login authenticator failed for (User) [91.200.12.219]: 535 Incorrect authentication data (set_id=napoleon)
2018-02-07 03:51:47 dovecot_login authenticator failed for (User) [91.200.12.204]: 535 Incorrect authentication data (set_id=frankie)
2018-02-07 03:51:55 dovecot_login authenticator failed for (User) [91.200.12.203]: 535 Incorrect authentication data (set_id=eliza)
2018-02-07 03:52:00 dovecot_login authenticator failed for (User) [91.200.12.216]: 535 Incorrect authentication data (set_id=paypal)
There is more for the same day and about 1 million frozen messages..
I have added them to the banned IP list for all services.. :) took many hours to get them all in there..
I think someones trying to get into my emails..
2018-02-07 23:35:05 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:38:42 dovecot_login authenticator failed for (User) [91.200.12.145]: 535 Incorrect authentication data (set_id=kirsten)
2018-02-07 23:38:47 dovecot_login authenticator failed for (User) [91.200.12.174]: 535 Incorrect authentication data (set_id=delia)
2018-02-07 23:38:53 dovecot_login authenticator failed for (User) [80.82.70.210]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:16:24 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:18:03 dovecot_login authenticator failed for (User) [91.200.12.9]: 535 Incorrect authentication data (set_id=hattie)
2018-02-07 23:11:41 dovecot_login authenticator failed for (User) [191.96.249.183]: 535 Incorrect authentication data (set_id=[email protected])
2018-02-07 23:13:48 dovecot_login authenticator failed for (User) [91.200.12.219]: 535 Incorrect authentication data (set_id=napoleon)
2018-02-07 03:51:47 dovecot_login authenticator failed for (User) [91.200.12.204]: 535 Incorrect authentication data (set_id=frankie)
2018-02-07 03:51:55 dovecot_login authenticator failed for (User) [91.200.12.203]: 535 Incorrect authentication data (set_id=eliza)
2018-02-07 03:52:00 dovecot_login authenticator failed for (User) [91.200.12.216]: 535 Incorrect authentication data (set_id=paypal)
There is more for the same day and about 1 million frozen messages..
I have added them to the banned IP list for all services.. :) took many hours to get them all in there..
-
mehargags
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Lots of frozen messages
you might want to tune your fail2ban for dovecot and ban IPs for a week. Your server is being hammered by some attacker bot
-
liamgibbins
- Posts: 28
- Joined: Thu Jan 04, 2018 5:33 pm
- Os: CentOS 6x
- Web: apache + nginx
Re: Lots of frozen messages
thanks will read up on google on how to do this..
Update - added maxretries and bantime to the jail.local
Modified the findtime variable to more likely katch them in jail.conf.
Hope this works.. :P
Update - added maxretries and bantime to the jail.local
Modified the findtime variable to more likely katch them in jail.conf.
Hope this works.. :P
Re: Lots of frozen messages
Bots... if you have strong passwords, you can but those or ignore. ^_^liamgibbins wrote: ↑Wed Feb 07, 2018 11:13 pmI have been going through my log files and I noticed that there are several repeat incorrect authentication data for the same IP addresses..
I think someones trying to get into my emails..
-
mehargags
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Lots of frozen messages
I hope you restarted fail2ban after that... if not please do.liamgibbins wrote: ↑Thu Feb 08, 2018 8:28 amUpdate - added maxretries and bantime to the jail.local
Modified the findtime variable to more likely katch them in jail.conf.
-
liamgibbins
- Posts: 28
- Joined: Thu Jan 04, 2018 5:33 pm
- Os: CentOS 6x
- Web: apache + nginx
Re: Lots of frozen messages
Sure did... thank you for your help... :P great community here so much better than the now seemingly dead sentora CP.. :)
just hope it works will check on monday and see whats been happening.. :P
just hope it works will check on monday and see whats been happening.. :P
-
puremilkorwhite
- Posts: 5
- Joined: Fri Jan 11, 2019 5:55 pm
- Os: Debian 7x
- Web: apache + nginx
Re: Lots of frozen messages
Hi I this worked for me:
add the following to file /etc/fail2ban/jail.local
then if there is any log files related to fail2ban I deleted it. logged into control panel with mydomain:8083 and restarted fail2ban from the server list after clicking Server in the right upper corner.
My list of frozen mails has grown longer and I see that in the mentioned log file there are banned and unbanned ip addresses.
My problem was that mails with attachments cant send or receive.
I only could make it work by checking and removing all frozen mails by manually using
.
Using the above solution feels like a better approach after one day already. I can send and receive mails with and without attachments. I think this pretty generic solution should be integrated in the next release as default.
add the following to file /etc/fail2ban/jail.local
Code: Select all
[recidives]
enabled = true
logpath = /var/log/fail2ban.log
port = all
protocol = all
maxentry = 5
bantime = 604800 ; 1 week
findtime = 86400; 1 day
My list of frozen mails has grown longer and I see that in the mentioned log file there are banned and unbanned ip addresses.
My problem was that mails with attachments cant send or receive.
I only could make it work by checking and removing all frozen mails by manually using
Code: Select all
exim -bpCode: Select all
exim -bp | exiqgrep -i | xargs exim -MrmUsing the above solution feels like a better approach after one day already. I can send and receive mails with and without attachments. I think this pretty generic solution should be integrated in the next release as default.
Re: Lots of frozen messages
Seems like a hacking attempt. I've seen a few of them.
I would recommend using fail2ban to block the IP on multiple failures. Verify the patterns as the default patterns don't always match. It handles multiple files and multiple services.
I would recommend using fail2ban to block the IP on multiple failures. Verify the patterns as the default patterns don't always match. It handles multiple files and multiple services.