I have a lot of unknown authentication attempts on my mail server. How can I configure my system to drop these.
Nov 18 16:42:58 ucs-ox1 postfix/smtpd[1969]: warning: unknown[118.173.164.136]: SASL PLAIN authentication failed:
Nov 18 16:42:59 ucs-ox1 postfix/smtpd[1969]: lost connection after AUTH from unknown[118.173.164.136]
Nov 18 16:42:59 ucs-ox1 postfix/smtpd[1969]: disconnect from unknown[118.173.164.136] ehlo=2 starttls=1 auth=0/1 commands=3/4
//Bengt
Fail2ban would be the typical solution I think, but I haven’t tried it on UCS. There is a cool solution article that describes how you can install it, but it’s not specifically for mail services. You might need to do a bit of googling to figure that part out if you’re not already familiar with it.
Hello @bhagert
I have this jail.local for this purpose:
[DEFAULT]
bantime = 3600
maxretry = 3
[sshd]
enabled = true
port = <port>
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s
[postfix]
enabled = true
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
enabled = true
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[recidive]
enabled = true
filter = recidive
action = iptables-allports[name=recidive]
logpath = /var/log/fail2ban.log
# findtime: 1 week
findtime = 604800
# bantime: 1 year
bantime = -1
maxretry = 3
Best, Bernd
Thanks I will give it a try!