Hi guys, in the logfile of mail i can see: Code: warning: unknown[45.142.120.149]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Nov 7 20:04:19 server2 postfix/smtpd[23576]: disconnect from unknown[45.142.120.149] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Nov 7 20:04:19 server2 postfix/smtpd[23454]: connect from unknown[45.142.120.147] Nov 7 20:04:21 server2 postfix/smtpd[23466]: connect from unknown[45.142.120.209] Nov 7 20:04:24 server2 postfix/smtpd[23489]: connect from unknown[45.142.120.56] Nov 7 20:04:24 server2 postfix/smtpd[23755]: connect from unknown[45.142.120.15] Nov 7 20:04:25 server2 postfix/smtpd[23490]: warning: unknown[45.142.120.32]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Nov 7 20:04:25 server2 postfix/smtpd[23490]: disconnect from unknown[45.142.120.32] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Nov 7 20:04:26 server2 postfix/smtpd[23454]: warning: unknown[45.142.120.147]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Nov 7 20:04:27 server2 postfix/smtpd[23454]: disconnect from unknown[45.142.120.147] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Nov 7 20:04:28 server2 postfix/smtpd[23757]: connect from unknown[45.142.120.39] Nov 7 20:04:28 server2 postfix/smtpd[23501]: connect from unknown[45.142.120.192] Nov 7 20:04:28 server2 postfix/smtpd[23466]: warning: unknown[45.142.120.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Nov 7 20:04:28 server2 postfix/smtpd[23466]: disconnect from unknown[45.142.120.209] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Nov 7 20:04:31 server2 postfix/smtpd[23489]: warning: unknown[45.142.120.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Nov 7 20:04:31 server2 postfix/smtpd[23755]: warning: unknown[45.142.120.15]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Nov 7 20:04:31 server2 postfix/smtpd[23755]: disconnect from unknown[45.142.120.15] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Nov 7 20:04:31 server2 postfix/smtpd[23489]: disconnect from unknown[45.142.120.56] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Is it recommended to block the IP for SMTP temporarily or for ever, or what action would you recommend ? thanks in advance for your help
I use Fail2Ban to automatically ban IP's with 5+ failed entries. However, on a mail server I would not set the bantime for this too high because if a client changes the password they can have some failed logins aswell. I have the recidive jail enabled to ban IP's that have been banned before for a longer time.
Thank you, I was being lazy and have just read the Fail2ban manual sorry Just for the information of anyone else reading this, the most important file is probably the jail.conf Nano /etc/fail2ban/jail.conf However, it's default settings are adequate for most purposes
If you have followed the ISPConfig installation instructions (perfect server guide), then fail2ban is already installed and configured.
Hi Till Yes indeed I have, but I thought it might be a setting I could tweak to make my server a little more secure. but the perfect server I followed already has the optimal settings. The perfect server series of howtos are indeed comprehensive, I would recommend anyone wanting to learn about installing servers use them they will teach you so much.
Thanks for that yes it states that in the manual. The jail.conf takes presidents over jail.local so it stands to reason to put any changes in the jail.local.