Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Anyone else getting "Hammered" with bogus mailserver logins , from Brazil IPs ?

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    3 Posts 2 Posters 775 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bingo600B
      bingo600
      last edited by bingo600

      I'm getting "Hammered" with login mailserver login attempts
      Has been going on for several days.

      Sep 13 12:37:12 NOQUEUE: connect from [103.237.58.240]
      Sep 13 12:37:16 : pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
      Sep 13 12:37:17 :      : auth failure: [user=mailer-daemon] [service=smtp] [realm=xx.yy.zz] [mech=pam] [reason=PAM auth error]
      

      The sad part is mostly this .... : user=mailer-daemon
      This user does not even exist.

      My fail2ban blocked around 200 ip's yesterday , and they mostly (80+ percent) are registered in Brazil.

      Sigh ... More "Background Noise" ....

      Edit: The above was from IN , the below from BR

      NOQUEUE: connect from 186-216-94-41.ian-wr.mastercabo.com.br [186.216.94.41] (may be forged)
      

      Seems like some distributed/coordinated attack , but ... brilliant to attack a user not even in PAM 😨

      Normally i get several attempts , but the user varies with "random" names.
      This one keeps hammering on the same user , thats new (for me)
      Well the same ip is not hammering for long .. Then fail2ban steps in ...

      /Bingo

      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @bingo600
        last edited by

        @bingo600

        Some one start somewhere some script.

        As you said : it fail2ban food.

        I activated the "recidive" list in fail2ban : after xx times being caught, the IP is moved to the for ever list.

        96fb6fae-67b5-4c38-97b0-eb8053cc75a7-image.png

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        bingo600B 1 Reply Last reply Reply Quote 0
        • bingo600B
          bingo600 @Gertjan
          last edited by bingo600

          @gertjan
          Thats a nice graph šŸ‘

          So my 200 bans a day is "nothing ... i guess"
          Edit: Ahh it spans a year šŸ¤• missed that

          /Bingo

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.