Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
The following record appears every second in /var/log/maillog
file:
CONFIG_TEXT: plesk_saslauthd[5222]: failed mail authenticatication attempt for user 'jdoe@example.com' (password len=7)plesk_saslauthd[5222]: failed mail authenticatication attempt for user 'jdoe@example.com' (password len=8)postfix/smtpd[14640]: warning: unknown[203.0.113.2]: SASL LOGIN authentication failed: authentication failure
Cause
The server is under brute force attack.
Resolution
Install software which protects the server from the Brute Force Attacks:
-
Install Fail2Ban according to the article How to install fail2ban on Plesk for Linux.
-
Go to Tools & Settings > IP Address Banning (Fail2Ban);
-
Mark the Enable intrusion detection checkbox and specify the following settings:
-
IP address ban period – the time interval in seconds for which an IP address is banned. When this period is over, the IP address is automatically unbanned.
-
Time interval for detection of subsequent attacks - the time interval in seconds during which the system counts the number of unsuccessful login attempts and other unwanted actions from an IP address.
-
Number of failures before the IP address is banned – the number of failed login attempts from the IP address.
-
-
Activate Fail2Ban service by clicking the Apply button.
-
Go to Jails tab.
-
Mark plesk-dovecot, plesk-horde, plesk-roundcube, plesk-postfix and recidive jails and press the Switch On button to turn the selected jails on.
To prevent brute force attack, install a tool like Fail2ban, once Fail2ban is only available to Linux systems, for example, ts_block.
In order to verify whether or not the server is vulnerable to this threat, check the following article:
How to test if a server is secured from abuse (Open Relay Test)
Additionally, to limit brute force attempts, configure MailEnable to block abuser IP:
-
Connect to the server via RDP;
-
Go to Windows > MailEnableAdmin > Connection dropping > Server > Services and Connector > right-click on SMTP > Properties > Security tab:
Comments
2 comments
Not enough to protect
Lately postfix/smtpd is no longer visible, but only plesk_saslauthd
without an IP address, so Fail2Ban cannot block, is there a solution here?
Please sign in to leave a comment.