Am I getting brute force attacks on email logins

Discussion in 'Technical' started by lonerunner, Dec 12, 2022.

  1. lonerunner

    lonerunner Member

    I have setup email notifications on just about everything and all of a sudden I am getting hundred of email notifications on this subject:

    Sometimes the end of the message is :

    This seems to me like brute force attacks, I did block the email in iptables and of course it stopped but can I implement a rule in fail2ban to automatically block these logins when detected. Also I disabled the plain logins but the log files do say plain login failed.
     
  2. Alex Mamatuik

    Alex Mamatuik Member

    Hello!
    My Mail-Error - Log always reports about numerous failed LOGIN authentications:
    Dec 19 22:59:21 vps postfix/smtpd[1812]: connect from localhost[::1]
    Dec 19 22:59:21 vps postfix/smtpd[1812]: disconnect from localhost[::1]
    Dec 19 22:59:42 vps postfix/smtpd[7687]: connect from unknown[141.98.10.72]
    Dec 19 22:59:46 vps postfix/smtpd[7687]: warning: unknown[141.98.10.72]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 19 22:59:46 vps postfix/smtpd[7687]: disconnect from unknown[141.98.10.72]
    Dec 19 22:59:51 vps postfix/smtpd[1812]: connect from localhost[::1]
    Dec 19 22:59:51 vps postfix/smtpd[1812]: disconnect from localhost[::1]
    Dec 19 23:00:02 vps postfix/smtpd[7687]: connect from localhost[::1]
    Dec 19 23:00:02 vps postfix/smtpd[7687]: lost connection after CONNECT from localhost[::1]
    Dec 19 23:00:02 vps postfix/smtpd[7687]: disconnect from localhost[::1]
    Dec 19 23:00:02 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<gbbGwzPwyLIAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:00:02 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<mNjGwzPwzOQAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:00:05 vps postfix/smtpd[7687]: connect from localhost[::1]
    Dec 19 23:00:05 vps postfix/smtpd[7687]: lost connection after CONNECT from localhost[::1]
    Dec 19 23:00:05 vps postfix/smtpd[7687]: disconnect from localhost[::1]
    Dec 19 23:00:05 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<mu75wzPw2rIAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:00:05 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<Cwr6wzPw3uQAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:00:07 vps postfix/smtpd[5948]: timeout after AUTH from unknown[80.94.95.206]
    Dec 19 23:00:07 vps postfix/smtpd[5948]: disconnect from unknown[80.94.95.206]
    Dec 19 23:00:21 vps postfix/smtpd[7687]: connect from unknown[45.125.65.37]
    Dec 19 23:00:21 vps postfix/smtpd[5948]: connect from localhost[::1]
    Dec 19 23:00:21 vps postfix/smtpd[5948]: disconnect from localhost[::1]
    Dec 19 23:00:25 vps postfix/smtpd[7687]: warning: unknown[45.125.65.37]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 19 23:00:25 vps postfix/smtpd[7687]: disconnect from unknown[45.125.65.37]
    Dec 19 23:00:30 vps postfix/smtpd[5948]: warning: hostname livehh.poppopprision.com does not resolve to address 141.98.11.52
    Dec 19 23:00:30 vps postfix/smtpd[5948]: connect from unknown[141.98.11.52]
    Dec 19 23:00:33 vps postfix/smtpd[5948]: warning: unknown[141.98.11.52]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 19 23:00:33 vps postfix/smtpd[5948]: disconnect from unknown[141.98.11.52]
    Dec 19 23:00:51 vps postfix/smtpd[7687]: connect from localhost[::1]
    Dec 19 23:00:51 vps postfix/smtpd[7687]: disconnect from localhost[::1]
    Dec 19 23:00:57 vps postfix/smtpd[5948]: warning: hostname type-executes.themedestiny.com does not resolve to address 141.98.11.83: Name or service not known
    Dec 19 23:00:57 vps postfix/smtpd[5948]: connect from unknown[141.98.11.83]
    Dec 19 23:01:01 vps postfix/smtpd[5948]: warning: unknown[141.98.11.83]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 19 23:01:01 vps postfix/smtpd[7687]: connect from localhost[::1]
    Dec 19 23:01:01 vps postfix/smtpd[7687]: lost connection after CONNECT from localhost[::1]
    Dec 19 23:01:01 vps postfix/smtpd[7687]: disconnect from localhost[::1]
    Dec 19 23:01:01 vps postfix/smtpd[5948]: disconnect from unknown[141.98.11.83]
    Dec 19 23:01:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<RXVWxzPwULMAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:01:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<rZFWxzPwVOUAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:01:21 vps postfix/smtpd[7687]: connect from localhost[::1]
    Dec 19 23:01:21 vps postfix/smtpd[7687]: disconnect from localhost[::1]
    Dec 19 23:01:51 vps postfix/smtpd[5948]: connect from localhost[::1]
    Dec 19 23:01:51 vps postfix/smtpd[5948]: disconnect from localhost[::1]
    Dec 19 23:02:00 vps postfix/smtpd[7687]: warning: hostname srv-141-98-11-22.serveroffer.net does not resolve to address 141.98.11.22: Name or service not known
    Dec 19 23:02:00 vps postfix/smtpd[7687]: connect from unknown[141.98.11.22]
    Dec 19 23:02:01 vps postfix/smtpd[5948]: connect from localhost[::1]
    Dec 19 23:02:01 vps postfix/smtpd[5948]: lost connection after CONNECT from localhost[::1]
    Dec 19 23:02:01 vps postfix/smtpd[5948]: disconnect from localhost[::1]
    Dec 19 23:02:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<Hq7nyjPw0LMAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:02:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<tlLoyjPw1OUAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:02:04 vps postfix/smtpd[7687]: warning: unknown[141.98.11.22]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 19 23:02:04 vps postfix/smtpd[7687]: disconnect from unknown[141.98.11.22]
    Dec 19 23:02:21 vps postfix/smtpd[5948]: connect from localhost[::1]
    Dec 19 23:02:21 vps postfix/smtpd[5948]: disconnect from localhost[::1]
    Dec 19 23:02:22 vps clamd[4365]: SelfCheck: Database status OK.
    Dec 19 23:02:51 vps postfix/smtpd[7687]: connect from localhost[::1]
    Dec 19 23:02:51 vps postfix/smtpd[7687]: disconnect from localhost[::1]
    Dec 19 23:03:01 vps postfix/smtpd[5948]: connect from localhost[::1]
    Dec 19 23:03:01 vps postfix/smtpd[5948]: lost connection after CONNECT from localhost[::1]
    Dec 19 23:03:01 vps postfix/smtpd[5948]: disconnect from localhost[::1]
    Dec 19 23:03:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<ly50zjPwVLQAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:03:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<3kd0zjPwWOYAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:03:21 vps postfix/smtpd[5948]: connect from localhost[::1]
    Dec 19 23:03:21 vps postfix/smtpd[5948]: disconnect from localhost[::1]
    Dec 19 23:03:52 vps postfix/smtpd[7687]: connect from localhost[::1]
    Dec 19 23:03:52 vps postfix/smtpd[7687]: disconnect from localhost[::1]
    Dec 19 23:04:00 vps postfix/anvil[17433]: statistics: max connection rate 1/60s for (smtp:80.94.95.206) at Dec 19 22:54:56
    Dec 19 23:04:00 vps postfix/anvil[17433]: statistics: max connection count 1 for (smtp:80.94.95.206) at Dec 19 22:54:56
    Dec 19 23:04:00 vps postfix/anvil[17433]: statistics: max cache size 6 at Dec 19 22:56:00
    Dec 19 23:04:01 vps postfix/smtpd[5948]: connect from localhost[::1]
    Dec 19 23:04:01 vps postfix/smtpd[5948]: lost connection after CONNECT from localhost[::1]
    Dec 19 23:04:01 vps postfix/smtpd[5948]: disconnect from localhost[::1]
    Dec 19 23:04:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<mVQQ0jPwvrQAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:04:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<3XoQ0jPwwuYAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:04:17 vps postfix/smtpd[7687]: warning: hostname piett.minchernes.com does not resolve to address 141.98.11.111
    Dec 19 23:04:17 vps postfix/smtpd[7687]: connect from unknown[141.98.11.111]
    Dec 19 23:04:20 vps postfix/smtpd[7687]: warning: unknown[141.98.11.111]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 19 23:04:20 vps postfix/smtpd[7687]: disconnect from unknown[141.98.11.111]
    Dec 19 23:04:22 vps postfix/smtpd[5948]: connect from localhost[::1]
    Dec 19 23:04:22 vps postfix/smtpd[5948]: disconnect from localhost[::1]
    Dec 19 23:04:31 vps postfix/smtpd[7687]: warning: hostname pirate-classify.themedestiny.com does not resolve to address 141.98.11.65: Name or service not known
    Dec 19 23:04:31 vps postfix/smtpd[7687]: connect from unknown[141.98.11.65]
    Dec 19 23:04:35 vps postfix/smtpd[7687]: warning: unknown[141.98.11.65]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 19 23:04:35 vps postfix/smtpd[7687]: disconnect from unknown[141.98.11.65]
    Dec 19 23:04:47 vps postfix/smtpd[5948]: warning: hostname host-206-251-214-120.united.net does not resolve to address 206.251.214.120: Name or service not known
    Dec 19 23:04:47 vps postfix/smtpd[5948]: connect from unknown[206.251.214.120]
    Dec 19 23:04:52 vps postfix/smtpd[7687]: connect from localhost[::1]
    Dec 19 23:04:52 vps postfix/smtpd[7687]: disconnect from localhost[::1]
    Dec 19 23:04:53 vps postfix/smtpd[5948]: warning: unknown[206.251.214.120]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 19 23:04:54 vps postfix/smtpd[5948]: lost connection after AUTH from unknown[206.251.214.120]
    Dec 19 23:04:54 vps postfix/smtpd[5948]: disconnect from unknown[206.251.214.120]
    Dec 19 23:04:56 vps postfix/smtpd[7687]: connect from unknown[58.214.8.10]
    Dec 19 23:05:01 vps postfix/smtpd[5948]: connect from localhost[::1]
    Dec 19 23:05:01 vps postfix/smtpd[5948]: lost connection after CONNECT from localhost[::1]
    Dec 19 23:05:01 vps postfix/smtpd[5948]: disconnect from localhost[::1]
    Dec 19 23:05:01 vps dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<IzOd1TPweLUAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:05:01 vps dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<p1Sd1TPwfOcAAAAAAAAAAAAAAAAAAAAB>
    Dec 19 23:05:03 vps postfix/smtpd[7687]: warning: unknown[58.214.8.10]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec 19 23:05:04 vps postfix/smtpd[7687]: lost connection after AUTH from unknown[58.214.8.10]
    Dec 19 23:05:04 vps postfix/smtpd[7687]: disconnect from unknown[58.214.8.10]

    And nothing bad happens to a mail system at all.

    But if you are assured that the e-mail system requires protection, please, do think about
    ISPProtect malware either ISPProtect BanDaemon (my choice for some of running servers).
     

Share This Page