Block brute force attack from Plesk firewall
Block brute force attack from Plesk firewall
Issue: SMTP service has been receiving unauthorised brute force requests on the server
Update 1: Below logs have been found from the maillog on the server
May 15 12:13:44 host plesk_saslauthd[11425]: No such user 'zhanna123@plesk.page' in mail authorization database
May 15 12:13:44 host plesk_saslauthd[11425]: failed mail authentication attempt for user 'zhanna123@plesk.page' (password len=6)
May 15 12:13:44 host postfix/smtpd[10387]: warning: unknown[46.148.40.175]: SASL LOGIN authentication failed: authentication failure
May 15 12:13:44 host plesk_saslauthd[11425]: failed mail authentication attempt for user 'zhanna123@plesk.page' (password len=6)
May 15 12:13:44 host postfix/smtpd[10387]: warning: unknown[46.148.40.175]: SASL LOGIN authentication failed: authentication failure
May 15 12:18:09 host plesk_saslauthd[11996]: No such user 'pf@plesk.page' in mail authorization database
May 15 12:18:09 host plesk_saslauthd[11996]: failed mail authentication attempt for user 'pf@plesk.page' (password len=8)
May 15 12:18:09 host postfix/smtpd[11184]: warning: unknown[80.94.95.242]: SASL LOGIN authentication failed: authentication failure
May 15 12:18:09 host plesk_saslauthd[11996]: failed mail authentication attempt for user 'pf@plesk.page' (password len=8)
May 15 12:18:09 host postfix/smtpd[11184]: warning: unknown[80.94.95.242]: SASL LOGIN authentication failed: authentication failure
Update 2: It is found from the log that the server was under brute-force attack from 46.148.40.0/24 & 80.94.95.0/24 range of IP address.
Resolution:
Step 1: Install the Plesk firewall extension as per the below KB:
https://support.plesk.com/hc/en-us/articles/12377540171799-How-to-install-Plesk-Firewall
Step 2: Click on the Plesk firewall extension & then click on the "+" sign to create a custom Plesk firewall rule.
Step 3: Create a custom firewall rule with denying SMTP connection on port "25" from the brute force IP ranges as per the below screenshot.
Related Articles
Block xmlrpc.php brute force request in Wordpress site
Block xmlrpc.php brute force request in Wordpress websites Wordpress websites have xmlrpc requests disabled by default but some sites have it enabled and is being brute forced by hackers. This leads to increased CPU consumption on the server. To ...Roundcube Webmail SMTP Error
Unable to send message from Roundcube SMTP Error (-1): Connection to server failed Issue: Roundcube was not working as the letsencrypt ssl had expired , even after renewing SSL it was still not working. Server OS: CentOS 6.1 and Plesk Onyx enabled ...Plesk Custom File Extension Support
Plesk Custom File Extension Support Issue: Problem with the ".htaccess" file and the "include" function, resulting in the top panel and footer not appearing on the website as the include files are not processed in the web server Step 1: Navigate to ...All In One WP Security & Firewall
All In One WP Security & Firewall Objective: it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices. Brute Force Attacks: one of the ways hackers try to compromise sites ...All In One WP Security & Firewall
All In One WP Security & Firewall Objective: it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices. Brute Force Attacks: one of the ways hackers try to compromise sites ...