Re: Authentication attempts for x...@com.au addresses

2019-04-05 Thread Esteban L
Hello Andrey, You've piqued my interest now :-) I have used fail2ban for many things, dovecot, postfix-auth, ssh (moot, after I changed the port), roundcube, etc. What are other tools you would recommend? I have seen the postfix anvil daemon at work in the background. I have gotten used to us

Re: Authentication attempts for x...@com.au addresses

2019-04-04 Thread Andrey Repin
Greetings, Esteban L! > You will need to install fail2ban to ip block failed attempts. > As you have correctly assumed, a malicious person is trying to hack into you > mail server. > Fail2ban is a required application now and days. That's hardly true. I haven't found a use for fail2ban in las

Re: Authentication attempts for x...@com.au addresses

2019-04-03 Thread Matus UHLAR - fantomas
On 03.04.19 14:14, James Brown wrote: Thanks all for your replies. Increasing both Ban time and Find time are good and I’ll do that. Looking through the logs I can see some repeated IPs for IMAP failures, but over long times (eg maybe once or twice a day max). We have Stunnel receive the traff

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread Bill Cole
On 2 Apr 2019, at 23:14, James Brown wrote: We have Stunnel receive the traffic on port 465 and 587 and forward on to 127.0.0.1 on port 25. That seems odd. Why? The whole point of having submission channels distinct from port 25 SMTP is to allow you to put different restrictions on inbound a

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread Bill Cole
On 2 Apr 2019, at 8:10, James Brown wrote: Thanks Esteban. I have fail2ban installed. Unfortunately each attempt comes from a different IP (botnet I presume). I’m finding this all the time now, so fail2ban seems to be no longer much use. Was just hoping there was a Postfix or Dovecot setting

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread James Brown
> On 3 Apr 2019, at 9:45 am, Curtis Maurand > wrote: > > > > On 4/2/19 5:39 PM, @lbutlr wrote: >> On 2 Apr 2019, at 14:30, Esteban L > > wrote: >>> The times are in seconds, so you'll need to calculate those times. >> a month is 26297

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread Curtis Maurand
On 4/2/19 5:39 PM, @lbutlr wrote: On 2 Apr 2019, at 14:30, Esteban L wrote: The times are in seconds, so you'll need to calculate those times. a month is 2629743 seconds. An hour, of course is 3600, but I prefer 86400 which is one day. BTW, pi seconds is very close to 1 nano century. I

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread @lbutlr
On 2 Apr 2019, at 14:30, Esteban L wrote: > The times are in seconds, so you'll need to calculate those times. a month is 2629743 seconds. An hour, of course is 3600, but I prefer 86400 which is one day. BTW, pi seconds is very close to 1 nano century. -- <[TN]FBMachine> I got kicked out of

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread Esteban L
I agree with Ron Wheeler. The default settings for Dovecot and Postfix are solid. The default settings for Fail2ban, on the other hand, are inadequate. Not because its a bad program, but rather that 1.) the default settings are a little lenient, and 2.) hackers know those default settings. You

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread Dominic Raferd
On Tue, 2 Apr 2019 at 09:45, Esteban L wrote: > You will need to install fail2ban to ip block failed attempts. > > As you have correctly assumed, a malicious person is trying to hack into > you mail server. > > Fail2ban is a required application now and days. > > On April 2, 2019 8:57:06 AM GMT+0

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread Michael
This will only help if you're getting multiple attempts from one subnet, but I've been able to use fail2ban to block IP ranges instead of single IPs. You just have to be careful or you may block more IPs than you want. I recommend setting fail2ban to NOT start up on boot while testing in case y

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread Ron Wheeler
There does not seem to be a completely foolproof and easy to manage solution. In my case, I modified the fail2ban time in jail to block the IP for days rather than hours and did a close look at the expressions defining the bad attempts to be sure that I got all (I hope) of the cases that were

Re: Authentication attempts for x...@com.au addresses

2019-04-02 Thread Esteban L
You will need to install fail2ban to ip block failed attempts. As you have correctly assumed, a malicious person is trying to hack into you mail server. Fail2ban is a required application now and days. On April 2, 2019 8:57:06 AM GMT+02:00, James Brown wrote: >Not sure if this is a Dovecot or

Authentication attempts for x...@com.au addresses

2019-04-01 Thread James Brown
Not sure if this is a Dovecot or Postfix issue we use Dovecot for authentication for Postfix. Mailboxes are stored in MySQL. Have noticed this today: auth-worker(42777): Info: sql(cont...@com.au,127.0.0.1): unknown user (given password: someone123) Also i...@com.au etc. They are coming throug