Anybody running mail server notice increase in SASL login attempts (LATNIC originating)?
All, Anybody running mail server noticing a large uptick in failed SASL login attempts? At times I'll just have the server journal displaying in an x-term. Past 24 hours or so there is a marked increase in SASL login attempts to postfix with most originating from LATNIC and Brazil in particular (with the normal smattering of RIPE critters) Or am I just lucky today? -- David C. Rankin, J.D.,P.E.
"DCR" == David C Rankin
writes:
DCR> All, Anybody running mail server noticing a large uptick in failed DCR> SASL login attempts? At times I'll just have the server journal DCR> displaying in an x-term. Past 24 hours or so there is a marked DCR> increase in SASL login attempts to postfix with most originating from DCR> LATNIC and Brazil in particular (with the normal smattering of RIPE DCR> critters) I have been seeing an increase in attempts with the following usernames abuse, postmaster, mailer-daemon webmaster. There is definitely an increase recently. Though in my case it is rr.com and telecomitalia.it. DCR> Or am I just lucky today? Depends on your definition of lucky ;) -- Life is endless possibilities, and there is choice!
On 2023-10-30 21:36, David C. Rankin wrote:
All,
Anybody running mail server noticing a large uptick in failed SASL login attempts? At times I'll just have the server journal displaying in an x-term. Past 24 hours or so there is a marked increase in SASL login attempts to postfix with most originating from LATNIC and Brazil in particular (with the normal smattering of RIPE critters)
Yes, I have heard of it. And it is dangerous, they will eventually find the password of the mail account. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.5 (Laicolasse))
On 10/30/23 16:14, Carlos E. R. wrote:
On 2023-10-30 21:36, David C. Rankin wrote:
All,
Anybody running mail server noticing a large uptick in failed SASL login attempts? At times I'll just have the server journal displaying in an x-term. Past 24 hours or so there is a marked increase in SASL login attempts to postfix with most originating from LATNIC and Brazil in particular (with the normal smattering of RIPE critters)
Yes, I have heard of it.
And it is dangerous, they will eventually find the password of the mail account.
Not with: # ipta 207.189.192.0/20 174 DROP iptables -I INPUT 174 -s 207.189.192.0/20 -j DROP they won't :) (so much for staying with a stateful firewall.... fight fire with fire...) -- David C. Rankin, J.D.,P.E.
On 10/30/23 17:53, David C. Rankin wrote:
On 10/30/23 16:14, Carlos E. R. wrote:
On 2023-10-30 21:36, David C. Rankin wrote:
All,
Anybody running mail server noticing a large uptick in failed SASL login attempts? At times I'll just have the server journal displaying in an x-term. Past 24 hours or so there is a marked increase in SASL login attempts to postfix with most originating from LATNIC and Brazil in particular (with the normal smattering of RIPE critters)
Yes, I have heard of it.
And it is dangerous, they will eventually find the password of the mail account.
Not with:
# ipta 207.189.192.0/20 174 DROP iptables -I INPUT 174 -s 207.189.192.0/20 -j DROP
they won't :)
(so much for staying with a stateful firewall.... fight fire with fire...)
Server-Fault has a fail2ban solution: https://serverfault.com/q/1099716/332034 But why isn't port 587 specified explicitly? Not needed? Isn't it preferred over the deprecated port 465? -- David C. Rankin, J.D.,P.E.
"DCR" == David C Rankin
writes:
DCR> Server-Fault has a fail2ban solution: DCR> https://serverfault.com/q/1099716/332034 DCR> But why isn't port 587 specified explicitly? Not needed? Isn't it DCR> preferred over the deprecated port 465? have a look at https://github.com/GaryGapinski/fail2ban-extras postfix specific rules are https://github.com/GaryGapinski/fail2ban-extras/blob/master/filter.d/postfix... That is what I am using -- Life is endless possibilities, and there is choice!
On 2023-10-30 23:53, David C. Rankin wrote:
On 10/30/23 16:14, Carlos E. R. wrote:
On 2023-10-30 21:36, David C. Rankin wrote:
All,
Anybody running mail server noticing a large uptick in failed SASL login attempts? At times I'll just have the server journal displaying in an x-term. Past 24 hours or so there is a marked increase in SASL login attempts to postfix with most originating from LATNIC and Brazil in particular (with the normal smattering of RIPE critters)
Yes, I have heard of it.
And it is dangerous, they will eventually find the password of the mail account.
Not with:
# ipta 207.189.192.0/20 174 DROP iptables -I INPUT 174 -s 207.189.192.0/20 -j DROP
they won't :)
(so much for staying with a stateful firewall.... fight fire with fire...)
I have been told that just implementing greylisting on those attempts works. Mind, clients like Thunderbird don't handle it automatically, but as it is only applied to bad passwords, it doesn't matter much. The human can retry later. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.5 (Laicolasse))
participants (3)
-
Carlos E. R.
-
David C. Rankin
-
Togan Muftuoglu