Insistent attack on new installation SASL LOGIN authentication failed

Hello, I have searched for information but I am not sure what is the way to solve the following or if it is normal?

I have a new installation of the guide The Perfect Server - Debian 10 (Buster) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1

In ISPConfig monitoring I can see the following message from several very insistent IPs:

Code:

Dec 19 13:54:54 mail postfix / smtpd [3533]: warning: unknown [46.38.144.32]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

And I would like to know if there is any solution to block these Ips that make such an insistent attack?










And as a separate case, ClamAV asks to update, but in Debian it indicates that version 0.102.1 is still unstable and is not updated in Debian 10.
Do you recommend waiting or should I do the manual installation?





Thanks

 

It is good to have fail2ban. You can decrease the number of attempts and increase the bantime if you like.
However, if the attacker use always different IPs it is difficult. Solutions depend on your setup. The IPs in your example are all from Iran. I have seen the same on my server.
Have a look at ipset. People maintain lists of known attacker IPs and you can use them for a block list. Your mentioned IPs for example are on there.
See for setup: https://github.com/trick77/ipset-blacklist
The good thing is that blocking via firewall uses much less ressources than if postfix/apache has to handle these requests.

Since I know, that I will not receive any mails from Iran/China/Russia I have additionally blocked these IP ranges and since then have drastically reduced these login attempts.
Be aware, that this can lead to false positives if you have customers etc. that interact with people from that regions. You could also block only some specific services (IMAP/Web/SMTP ...)

 

SASL is unused/unneeded nowadays, deactivate and/or remove it

Code:

sudo dpkg -r sasl%*
sudo mock -p:80 # if mock app is installed. Otherwise -> ignore this

If SASL was acquired as part of natively obtained OS (like cloud provider)

Code:

ec2-manager -R sasl% # this will remove anything sasl from your EC2 instance (Amazon AWS)

 

As written above, Milly uses Debian10 with Postfix and ISPconfig. Can you give me more information on what lets you make the statement that SASL would be "unused/unneeded nowadays"?
- Your command would break the system of the OP, if it would work on debian (no package sasl* is installed there)
- I cannot see, how your post is related to the questions above (?)