distributed smtpauth attacks on [mailer-daemon]
I am getting CSF notifications about distributed smtpauth attacks on mailer-daemon
Is this normal ? I realise there are plenty of attacks, but I don't think I've had them reported on the actual mailer-deamon before....Is there some hardening to be done ?
-
Hey hey! We don't support CSF, but could you post the details you're seeing here so we can see what it says?
0 -
Thanks!
Sure, here are some
exim rejectlog:
2024-03-27 12:54:28 dovecot_login authenticator failed for ([203.110.83.226]) [203.110.83.226]:34522: 535 Incorrect authentication data (set_id=mailer-daemon)
2024-03-27 12:44:11 dovecot_login authenticator failed for ([175.202.13.55]) [175.202.13.55]:43160: 535 Incorrect authentication data (set_id=mailer-daemon@serverhostname)
The frequency seems to be every 30 - 60 seconds.
LFD.log (lots of entries)
Mar 27 11:36:50 servername lfd[17209099090]: 221.163.227.238 (KR/South Korea/-), 10 distributed smtpauth attacks on account [mailer-daemon@server-hostname] in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_DISTATTACK]
Now, Obviously it's a good thing that CSF is doing its job. And, I see this similar post, and I'm aware there'll be a lot of traffic, but on the mailer-daemon / server hostname, seems a bit strange and I'm wondering if I've left a door open somewhere....
0 -
Do you also have cPHulk enabled on the machine? That would block any IP addresses with too many failed logins.
I wouldn't be too worried about that address - the mailer-daemon and the hostname is an easy target for automated scripts to use to try accounts that may exist on the server.
0
Please sign in to leave a comment.
Comments
3 comments