Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
The following record appears every second in /var/log/maillog file:
CONFIG_TEXT: plesk_saslauthd[5222]: failed mail authenticatication attempt for user 'jdoe@example.com' (password len=7)plesk_saslauthd[5222]: failed mail authenticatication attempt for user 'jdoe@example.com' (password len=8)postfix/smtpd[14640]: warning: unknown[203.0.113.2]: SASL LOGIN authentication failed: authentication failure
Cause
The server is under brute force attack.
Resolution
Install software which protects the server from the Brute Force Attacks:
-
Install Fail2Ban according to the article How to install fail2ban on Plesk for Linux.
-
Go to Tools & Settings > IP Address Banning (Fail2Ban);
-
Mark the Enable intrusion detection checkbox and specify the following settings:
-
IP address ban period – the time interval in seconds for which an IP address is banned. When this period is over, the IP address is automatically unbanned.
-
Time interval for detection of subsequent attacks - the time interval in seconds during which the system counts the number of unsuccessful login attempts and other unwanted actions from an IP address.
-
Number of failures before the IP address is banned – the number of failed login attempts from the IP address.
-
-
Activate Fail2Ban service by clicking the Apply button.
-
Go to Jails tab.
-
Mark plesk-dovecot, plesk-horde, plesk-roundcube, plesk-postfix and recidive jails and press the Switch On button to turn the selected jails on.
To prevent brute force attack, install a tool like Fail2ban, once Fail2ban is only available to Linux systems, for example, ts_block.
In order to verify whether or not the server is vulnerable to this threat, check the following article:
How to test if a server is secured from abuse (Open Relay Test)
Additionally, to limit brute force attempts, configure MailEnable to block abuser IP:
-
Connect to the server via RDP;
-
Go to Windows > MailEnableAdmin > Connection dropping > Server > Services and Connector > right-click on SMTP > Properties > Security tab:
Comments
8 comments
Fail2Ban won't work for this issue as the log entry does not include the IP address of the attacker.
Hello,
Thank you for bringing our attention to the article.
In fact, the mentioned log entry is followed by another one from postfix like that:
Feb 28 12:49:24 example postfix/smtpd[14640]: warning: unknown[203.0.113.2]: SASL LOGIN authentication failed: authentication failure
So, fail2ban will work in this case.
I have edited the article and added the log entry.
Is there a similar article available for the same issue but with proftpd on Linux? My RMM monitoring keeps alerting on a large number of failed logins but Fail2Ban's banned list is very small.
Hello @Bob B,
The most probable cause of such behavior is that the Time interval for detection of subsequent attacks is not enough to stop this breach attempts, so the Fail2Ban's banned list is very small.
To solve this issue, please follow next steps:
In case if it does not help, please create a request to Plesk Technical Support: How to submit a request to Plesk support?
Hi,
i think there are a big issue on the sasl jail, because we have a lot of lines like this in maillog:
Jul 31 13:12:40 mx02 postfix/smtpd[31704]: warning: unknown[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Jul 31 13:12:41 mx02 postfix/smtpd[31704]: disconnect from unknown[1.2.3.4]
grep -ri 1.2.3.4 /var/log/maillog | grep warnin | grep -v hostname | wc -l
669
This means, 669 lines like this: Jul 31 13:12:40 mx02 postfix/smtpd[31704]: warning: unknown[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
And fail2ban is do nothing against this, so i checked the regex from filter.d/plesk-saslauthd.conf and there are only issues:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf
Running tests
=============
Use failregex filter file : postfix-sasl, basedir: /etc/fail2ban
Use log file : /var/log/maillog
Use encoding : UTF-8
Results
=======
Failregex: 1865 total
|- #) [# of hits] regular expression
| 1) [1865] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds](?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds](?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?warning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [15600] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 15600 lines, 0 ignored, 1865 matched, 13735 missed
[processed in 1.51 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 13735 lines
So this means it has 1865 matches, but i there wont be blocked anything. In Plesk WebUI ist the filter activated, but /etc/fail2ban/jail.d/plesk.conf all is enabled = false and there is no section with postfix-sasl, there exists only [plesk-xxx] sections.
UPDATE:
This shows the fail2ban.log
fail2ban.filter [1001]: INFO [plesk-postfix] Found 1.2.3.4
fail2ban.filter [1001]: WARNING Unable to find a corresponding IP address for 1.2.3.4 [Errno -9] Address family for hostname not supported
@Alexander Koch
>>> WARNING Unable to find a corresponding IP address for ...
You may ignore these warnings, please refer to https://support.plesk.com/hc/en-us/articles/115000065429-Fail2Ban-warning-Address-family-for-hostname-not-supported
>>> And fail2ban is do nothing against this
Check the "Tools & Settings > IP Address Banning (Fail2Ban) > Time interval for detection of subsequent attacks" value. If it is quite big, then it may be not enough to detect the attack. Check the maillog, how often these messages appear? Decrease the value accordingly.
Hi Alisa,
thanks for the respond. The Time Interval was default 600, so i decreased it to 30, but no help.
I have a lot of Lines like this in the Log:
Aug 2 09:09:39 mx02 postfix/smtpd[14984]: warning: hostname ip-38-50.ZervDNS does not resolve to address 92.118.38.50
Aug 2 09:09:39 mx02 postfix/smtpd[14984]: connect from unknown[92.118.38.50]
Aug 2 09:09:39 mx02 plesk_saslauthd[17683]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1
Aug 2 09:09:39 mx02 plesk_saslauthd[17683]: privileges set to (89:89) (effective 89:89)
Aug 2 09:09:39 mx02 plesk_saslauthd[17683]: No such user 'stan@domain.com' in mail authorization database
Aug 2 09:09:39 mx02 plesk_saslauthd[17683]: failed mail authentication attempt for user 'stan@domain.com' (password len=9)
Aug 2 09:09:39 mx02 postfix/smtpd[14984]: warning: unknown[92.118.38.50]: SASL LOGIN authentication failed: authentication failure
Aug 2 09:09:39 mx02 postfix/smtpd[14984]: disconnect from unknown[92.118.38.50]
grep 92.118.38.50 /var/log/maillog | 'authentication failed' | wc -l
444
Only today 444 times the IP 92.118.38.50 is shown, and fail2ban isnt working.
Any ideas?
Hello @Alexander Koch,
Thank you for the update.
To investigate the issue deeper, please create a request to Plesk Technical Support: How to submit a request to Plesk support?
Please sign in to leave a comment.