Anyone else getting "Hammered" with bogus mailserver logins , from Brazil IPs ?
I'm getting "Hammered" with login mailserver login attempts
Has been going on for several days.
Sep 13 12:37:12 NOQUEUE: connect from [220.127.116.11] Sep 13 12:37:16 : pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Sep 13 12:37:17 : : auth failure: [user=mailer-daemon] [service=smtp] [realm=xx.yy.zz] [mech=pam] [reason=PAM auth error]
The sad part is mostly this .... : user=mailer-daemon
This user does not even exist.
My fail2ban blocked around 200 ip's yesterday , and they mostly (80+ percent) are registered in Brazil.
Sigh ... More "Background Noise" ....
Edit: The above was from IN , the below from BR
NOQUEUE: connect from 186-216-94-41.ian-wr.mastercabo.com.br [18.104.22.168] (may be forged)
Seems like some distributed/coordinated attack , but ... brilliant to attack a user not even in PAM
Normally i get several attempts , but the user varies with "random" names.
This one keeps hammering on the same user , thats new (for me)
Well the same ip is not hammering for long .. Then fail2ban steps in ...
Gertjan last edited by
Some one start somewhere some script.
As you said : it fail2ban food.
I activated the "recidive" list in fail2ban : after xx times being caught, the IP is moved to the for ever list.
Thats a nice graph
So my 200 bans a day is "nothing ... i guess"
Edit: Ahh it spans a year missed that