2

There is someone scanning my mail server.

What can i do to block them?

i tried adding this and is not helping:

/etc/hosts.deny
ALL: 80.82.77.18

i see this in the log:

...
Aug 23 03:34:40 auth-worker(1664): Info: sql(torcac@example.net,80.82.77.18): unknown user (given password: torcac)
Aug 23 03:35:17 auth-worker(1664): Info: sql(roselia@example.net,80.82.77.18): unknown user (given password: roselia)
Aug 23 03:35:56 auth-worker(1664): Info: sql(japan@example.net,80.82.77.18): unknown user (given password: japan)
Aug 23 03:36:35 auth-worker(1664): Info: sql(berta@example.net,80.82.77.18): unknown user (given password: berta)
Aug 23 03:37:08 auth-worker(1664): Info: sql(blue,193.169.252.176): unknown user (given password: 123456)
Aug 23 03:37:12 auth-worker(1664): Info: sql(keely@example.net,80.82.77.18): unknown user (given password: keely)
Aug 23 03:37:49 auth-worker(1664): Info: sql(marcelia@example.net,80.82.77.18): unknown user (given password: marcelia)
Aug 23 03:38:26 auth-worker(1664): Info: sql(yate@example.net,80.82.77.18): unknown user (given password: yate)
Aug 23 03:39:02 auth-worker(1664): Info: sql(silvie@example.net,80.82.77.18): unknown user (given password: silvie)
Aug 23 03:39:41 auth-worker(1664): Info: sql(seven@example.net,80.82.77.18): unknown user (given password: seven)ang@example.net,80.82.77.18): unknown user (given password: bang)
...
Jenny D
  • 27,780
  • 21
  • 75
  • 114
chawila
  • 177
  • 7
  • 1
    I think you should considering using a tool like fail2ban to prevent people trying to bruteforce your password? – Tolsadus Aug 23 '19 at 07:59
  • 1
    That is a common thing on any online server. Typically people use something like fail2ban to block repeat offenders in their firewall rather than manually and with TCP wrappers – HBruijn Aug 23 '19 at 07:59
  • Thanks, let me take a look at that.. – chawila Aug 23 '19 at 08:01

1 Answers1

5

from importgeek.wordpress.com :

  1. install Fail2Ban

    : apt-get install fail2ban

  2. To limit memory usage, add to /etc/default/fail2ban:

    +ulimit -s 256

  3. Create a local config file /etc/fail2ban/jail.local to override settings in jail.conf:

    : cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

    : vi /etc/fail2ban/jail.local

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry  = 3

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry  = 3

[sasl]
enabled   = true
port      = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter    = sasl
logpath   = /var/log/mail.log
maxretry  = 3

Edit

Fail2ban (Debian Squeeze) isn’t shipped with a configuration for Dovecot, so create /etc/fail2ban/filter.d/dovecot.conf:

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.*
ignoreregex =

Restart fail2ban:

# /etc/init.d/fail2ban restart
chawila
  • 177
  • 7
  • Did it work? i'm getting same scans but none of the config is blocking it. – Ajay Singh Dec 08 '19 at 11:02
  • 1
    It worked finally. Thanks for the post. Had to change my dovecot logpath to /var/log/dovecot.log. And failregex to include ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:Info: )?(?:pam|sql|passwd-file)\(\S+,\): unknown user\s*$ – Ajay Singh Dec 08 '19 at 11:18