Many of 'failed mail authenticatication' in /var/log/maillog

Follow

Comments

4 comments

  • Avatar
    Larry Nedry

    Fail2Ban won't work for this issue as the log entry does not include the IP address of the attacker.

  • Avatar
    Konstantin Annikov

    Hello, 

    Thank you for bringing our attention to the article.

    In fact, the mentioned log entry is followed by another one from postfix like that: 

    Feb 28 12:49:24 example postfix/smtpd[14640]: warning: unknown[203.0.113.2]: SASL LOGIN authentication failed: authentication failure

    So, fail2ban will work in this case.
    I have edited the article and added the log entry. 

  • Avatar
    Bob B

    Is there a similar article available for the same issue but with proftpd on Linux?  My RMM monitoring keeps alerting on a large number of failed logins but Fail2Ban's banned list is very small.  

  • Avatar
    Daria Gavrilova

    Hello @Bob B,

    The most probable cause of such behavior is that the Time interval for detection of subsequent attacks is not enough to stop this breach attempts, so the Fail2Ban's banned list is very small.

    To solve this issue, please follow next steps:

    1. Log into Plesk;
    2. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Time interval for detection of subsequent attacks and increase this value to the required time span according to the /var/log/messages log file.

    In case if it does not help, please create a request to Plesk Technical Support: How to submit a request to Plesk support?

Please sign in to leave a comment.

Have more questions? Submit a request