I have setup email notifications on just about everything and all of a sudden I am getting hundred of email notifications on this subject: Sometimes the end of the message is : This seems to me like brute force attacks, I did block the email in iptables and of course it stopped but can I implement a rule in fail2ban to automatically block these logins when detected. Also I disabled the plain logins but the log files do say plain login failed.
Hello! My Mail-Error - Log always reports about numerous failed LOGIN authentications: Expand: error-logs Dec 19 22:59:21 vps postfix/smtpd[1812]: connect from localhost[::1] Dec 19 22:59:21 vps postfix/smtpd[1812]: disconnect from localhost[::1] Dec 19 22:59:42 vps postfix/smtpd[7687]: connect from unknown[141.98.10.72] Dec 19 22:59:46 vps postfix/smtpd[7687]: warning: unknown[141.98.10.72]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 19 22:59:46 vps postfix/smtpd[7687]: disconnect from unknown[141.98.10.72] Dec 19 22:59:51 vps postfix/smtpd[1812]: connect from localhost[::1] Dec 19 22:59:51 vps postfix/smtpd[1812]: disconnect from localhost[::1] Dec 19 23:00:02 vps postfix/smtpd[7687]: connect from localhost[::1] Dec 19 23:00:02 vps postfix/smtpd[7687]: lost connection after CONNECT from localhost[::1] Dec 19 23:00:02 vps postfix/smtpd[7687]: disconnect from localhost[::1] Dec 19 23:00:02 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<gbbGwzPwyLIAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:00:02 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<mNjGwzPwzOQAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:00:05 vps postfix/smtpd[7687]: connect from localhost[::1] Dec 19 23:00:05 vps postfix/smtpd[7687]: lost connection after CONNECT from localhost[::1] Dec 19 23:00:05 vps postfix/smtpd[7687]: disconnect from localhost[::1] Dec 19 23:00:05 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<mu75wzPw2rIAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:00:05 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<Cwr6wzPw3uQAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:00:07 vps postfix/smtpd[5948]: timeout after AUTH from unknown[80.94.95.206] Dec 19 23:00:07 vps postfix/smtpd[5948]: disconnect from unknown[80.94.95.206] Dec 19 23:00:21 vps postfix/smtpd[7687]: connect from unknown[45.125.65.37] Dec 19 23:00:21 vps postfix/smtpd[5948]: connect from localhost[::1] Dec 19 23:00:21 vps postfix/smtpd[5948]: disconnect from localhost[::1] Dec 19 23:00:25 vps postfix/smtpd[7687]: warning: unknown[45.125.65.37]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 19 23:00:25 vps postfix/smtpd[7687]: disconnect from unknown[45.125.65.37] Dec 19 23:00:30 vps postfix/smtpd[5948]: warning: hostname livehh.poppopprision.com does not resolve to address 141.98.11.52 Dec 19 23:00:30 vps postfix/smtpd[5948]: connect from unknown[141.98.11.52] Dec 19 23:00:33 vps postfix/smtpd[5948]: warning: unknown[141.98.11.52]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 19 23:00:33 vps postfix/smtpd[5948]: disconnect from unknown[141.98.11.52] Dec 19 23:00:51 vps postfix/smtpd[7687]: connect from localhost[::1] Dec 19 23:00:51 vps postfix/smtpd[7687]: disconnect from localhost[::1] Dec 19 23:00:57 vps postfix/smtpd[5948]: warning: hostname type-executes.themedestiny.com does not resolve to address 141.98.11.83: Name or service not known Dec 19 23:00:57 vps postfix/smtpd[5948]: connect from unknown[141.98.11.83] Dec 19 23:01:01 vps postfix/smtpd[5948]: warning: unknown[141.98.11.83]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 19 23:01:01 vps postfix/smtpd[7687]: connect from localhost[::1] Dec 19 23:01:01 vps postfix/smtpd[7687]: lost connection after CONNECT from localhost[::1] Dec 19 23:01:01 vps postfix/smtpd[7687]: disconnect from localhost[::1] Dec 19 23:01:01 vps postfix/smtpd[5948]: disconnect from unknown[141.98.11.83] Dec 19 23:01:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<RXVWxzPwULMAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:01:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<rZFWxzPwVOUAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:01:21 vps postfix/smtpd[7687]: connect from localhost[::1] Dec 19 23:01:21 vps postfix/smtpd[7687]: disconnect from localhost[::1] Dec 19 23:01:51 vps postfix/smtpd[5948]: connect from localhost[::1] Dec 19 23:01:51 vps postfix/smtpd[5948]: disconnect from localhost[::1] Dec 19 23:02:00 vps postfix/smtpd[7687]: warning: hostname srv-141-98-11-22.serveroffer.net does not resolve to address 141.98.11.22: Name or service not known Dec 19 23:02:00 vps postfix/smtpd[7687]: connect from unknown[141.98.11.22] Dec 19 23:02:01 vps postfix/smtpd[5948]: connect from localhost[::1] Dec 19 23:02:01 vps postfix/smtpd[5948]: lost connection after CONNECT from localhost[::1] Dec 19 23:02:01 vps postfix/smtpd[5948]: disconnect from localhost[::1] Dec 19 23:02:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<Hq7nyjPw0LMAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:02:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<tlLoyjPw1OUAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:02:04 vps postfix/smtpd[7687]: warning: unknown[141.98.11.22]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 19 23:02:04 vps postfix/smtpd[7687]: disconnect from unknown[141.98.11.22] Dec 19 23:02:21 vps postfix/smtpd[5948]: connect from localhost[::1] Dec 19 23:02:21 vps postfix/smtpd[5948]: disconnect from localhost[::1] Dec 19 23:02:22 vps clamd[4365]: SelfCheck: Database status OK. Dec 19 23:02:51 vps postfix/smtpd[7687]: connect from localhost[::1] Dec 19 23:02:51 vps postfix/smtpd[7687]: disconnect from localhost[::1] Dec 19 23:03:01 vps postfix/smtpd[5948]: connect from localhost[::1] Dec 19 23:03:01 vps postfix/smtpd[5948]: lost connection after CONNECT from localhost[::1] Dec 19 23:03:01 vps postfix/smtpd[5948]: disconnect from localhost[::1] Dec 19 23:03:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<ly50zjPwVLQAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:03:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<3kd0zjPwWOYAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:03:21 vps postfix/smtpd[5948]: connect from localhost[::1] Dec 19 23:03:21 vps postfix/smtpd[5948]: disconnect from localhost[::1] Dec 19 23:03:52 vps postfix/smtpd[7687]: connect from localhost[::1] Dec 19 23:03:52 vps postfix/smtpd[7687]: disconnect from localhost[::1] Dec 19 23:04:00 vps postfix/anvil[17433]: statistics: max connection rate 1/60s for (smtp:80.94.95.206) at Dec 19 22:54:56 Dec 19 23:04:00 vps postfix/anvil[17433]: statistics: max connection count 1 for (smtp:80.94.95.206) at Dec 19 22:54:56 Dec 19 23:04:00 vps postfix/anvil[17433]: statistics: max cache size 6 at Dec 19 22:56:00 Dec 19 23:04:01 vps postfix/smtpd[5948]: connect from localhost[::1] Dec 19 23:04:01 vps postfix/smtpd[5948]: lost connection after CONNECT from localhost[::1] Dec 19 23:04:01 vps postfix/smtpd[5948]: disconnect from localhost[::1] Dec 19 23:04:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<mVQQ0jPwvrQAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:04:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<3XoQ0jPwwuYAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:04:17 vps postfix/smtpd[7687]: warning: hostname piett.minchernes.com does not resolve to address 141.98.11.111 Dec 19 23:04:17 vps postfix/smtpd[7687]: connect from unknown[141.98.11.111] Dec 19 23:04:20 vps postfix/smtpd[7687]: warning: unknown[141.98.11.111]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 19 23:04:20 vps postfix/smtpd[7687]: disconnect from unknown[141.98.11.111] Dec 19 23:04:22 vps postfix/smtpd[5948]: connect from localhost[::1] Dec 19 23:04:22 vps postfix/smtpd[5948]: disconnect from localhost[::1] Dec 19 23:04:31 vps postfix/smtpd[7687]: warning: hostname pirate-classify.themedestiny.com does not resolve to address 141.98.11.65: Name or service not known Dec 19 23:04:31 vps postfix/smtpd[7687]: connect from unknown[141.98.11.65] Dec 19 23:04:35 vps postfix/smtpd[7687]: warning: unknown[141.98.11.65]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 19 23:04:35 vps postfix/smtpd[7687]: disconnect from unknown[141.98.11.65] Dec 19 23:04:47 vps postfix/smtpd[5948]: warning: hostname host-206-251-214-120.united.net does not resolve to address 206.251.214.120: Name or service not known Dec 19 23:04:47 vps postfix/smtpd[5948]: connect from unknown[206.251.214.120] Dec 19 23:04:52 vps postfix/smtpd[7687]: connect from localhost[::1] Dec 19 23:04:52 vps postfix/smtpd[7687]: disconnect from localhost[::1] Dec 19 23:04:53 vps postfix/smtpd[5948]: warning: unknown[206.251.214.120]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 19 23:04:54 vps postfix/smtpd[5948]: lost connection after AUTH from unknown[206.251.214.120] Dec 19 23:04:54 vps postfix/smtpd[5948]: disconnect from unknown[206.251.214.120] Dec 19 23:04:56 vps postfix/smtpd[7687]: connect from unknown[58.214.8.10] Dec 19 23:05:01 vps postfix/smtpd[5948]: connect from localhost[::1] Dec 19 23:05:01 vps postfix/smtpd[5948]: lost connection after CONNECT from localhost[::1] Dec 19 23:05:01 vps postfix/smtpd[5948]: disconnect from localhost[::1] Dec 19 23:05:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<IzOd1TPweLUAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:05:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<p1Sd1TPwfOcAAAAAAAAAAAAAAAAAAAAB> Dec 19 23:05:03 vps postfix/smtpd[7687]: warning: unknown[58.214.8.10]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 19 23:05:04 vps postfix/smtpd[7687]: lost connection after AUTH from unknown[58.214.8.10] Dec 19 23:05:04 vps postfix/smtpd[7687]: disconnect from unknown[58.214.8.10] And nothing bad happens to a mail system at all. But if you are assured that the e-mail system requires protection, please, do think about ISPProtect malware either ISPProtect BanDaemon (my choice for some of running servers).