Brute force on email

pipoy · Post by **pipoy** » Tue May 07, 2019 11:38 pm

Hi,

Is anyone here also experiencing a brute force attack with your emails?

I actually noticed this months before as I see 139.28.174.155 in the fail2ban list under MAIL.

The weird part is that it exists to every vestacp's I have. So I think this is not an isolated attack.

You also may want to check out your /var/log/exim/main.log
I have new and under development domains that is part of the logs. I mean, it is impossible that they made aware of the domain and just randomly bruteforce an email under that domain.

ricardopxl · Post by **ricardopxl** » Wed May 08, 2019 2:56 am

I have the equal problem right now, from 4 hour ago!

Spamassassin and clamd use all cpu. Can you solve this problem?

pipoy · Post by **pipoy** » Wed May 08, 2019 9:40 am

ricardopxl wrote: ↑
Wed May 08, 2019 2:56 am
I have the equal problem right now, from 4 hour ago!

If the IP address was automatically banned by fail2ban, it will be deleted after a few minutes.
So what I did is I just manually added this IP address, 139.28.174.0/24, so he is permanently banned.

But it begs the question, why are we getting this

ricardopxl wrote: ↑
Wed May 08, 2019 2:56 am

Spamassassin and clamd use all cpu. Can you solve this problem?

Not sure if that is related.

[email protected] · Post by **[email protected]** » Mon Nov 09, 2020 9:09 pm

I have also been receiving a brute force attack on my Exim/Dovecote installation in my VestaCP. Is there anything I can do about this apart from blocking that IP range?

2020-11-09 11:09:16 dovecot_login authenticator failed for (localhost) [45.142.120.137]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:10:02 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:11:14 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:12:26 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:13:41 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:14:51 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:16:01 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:17:16 dovecot_login authenticator failed for (localhost) [45.142.120.59]: 535 Incorrect authentication data (set_id=[email protected])
2020-11-09 11:17:46 dovecot_login authenticator failed for (User) [45.125.65.39]: 535 Incorrect authentication data (set_id=wood)

cooldevserge · Post by **cooldevserge** » Tue Nov 24, 2020 3:24 am

I also experiencing this one.. someone is trying to access or Bruteforce my mail server.

americanninja · Post by **americanninja** » Sat Apr 10, 2021 12:09 am

You guys find a solution to this?

It's an everyday occurrence for me. And it negatively impacts the performance of my websites. At this point, I'm thinking to just pay google to host my email and close down the email server completely. I forward all email from my server to my gmail accounts anyway.

Or is there a way to just block all remote access/attempts to login to the email server and only allow Google's IP addresses. The only thing that connects to send outbound email from my server is gmail/google. So I wonder if this would be a better option for me. If I could just shutdown any access from outside (except for Google), I think this might be the best solution, right?

hestiauser · Post by **hestiauser** » Mon Apr 12, 2021 1:49 pm

VestaCP is vastly outdated and exploited with no security patches or updates for a long time now.

I suggest you to use HestiaCP, fork of VestaCP that is also open-source just updated, with new features and not dead as VestaCP.

I don't know why is VestaCP still up and in options to install with some hosting providers, because it shouldn't be.

HestiaCP is fork of VestaCP and you can check it out on https://hestiacp.com and join Discord for quick support or post on forum.

Most of Hestia developers are from original VestaCP team, so give them a credit and try HestiaCP, donate if you like it and support them.

Best reguards,
Nikola.

americanninja · Post by **americanninja** » Mon Apr 12, 2021 4:19 pm

Thanks Nikola! I guess this will be next weekend’s project.

carolynperry · Post by **carolynperry** » Fri Jun 11, 2021 11:15 am

this is really good, thank you for sharing with us vidmate app mobdro apk

clementishutin · Post by **clementishutin** » Tue Feb 08, 2022 7:36 am

Is there a way to simply ban all remote access/attempts to logon to the email server, allowing only Google's IP addresses to do so?

Vesta Control Panel - Forum

Brute force on email

Brute force on email

Re: Brute force on email

Re: Brute force on email

Re: Brute force on email

Re: Brute force on email

Re: Brute force on email

Re: Brute force on email

Re: Brute force on email

Re: Brute force on email

Re: Brute force on email

Login • Register