Hi,
Server logs filled with constant multiple failed login attempts:
Code:
smtp_auth: SMTP connect from mail.xxxxxx.com [xxx.xx.xxx.xx]
smtp_auth: FAILED: xxxxxx - password incorrect from mail.xxxxxx.com [xxx.xx.xxx.xx]
pop3d: LOGIN FAILED, ip=[xx.xxx.xx.xxx]
pop3d: IMAP connect from @ [xx.xxx.xx.xxx]checkmailpasswd: FAILED: xxxx - short names not allowed from @
ASL does not appear to be blocking all these attempts, it often catches the pop3d with Rule 3912 (but not every time despite the failure rate being high enough). Often the smtp based brute-force leads to:
Code:
Deactivating service smtp due to excessive incoming connections
ASL detects this with rule 2301 level 10, but is unable to detect the IP address. Would have expected Rule 60903 smtp_auth authentication failed to be logged (although it is not set to have an active response)
Can supply more examples with IP's (they range from USA, Russia/Eastern Europe & China mostly)
Can't be the only target for this? The logs are being filled with this stuff and while don't expect the attempts to be successful, I'd like to block them and increase the blocking time as they continue. Stopped manually blacklisting them the past month to let ASL do its thing, but the flood of failures in logs is ridiculous.
Thanks for your thoughts and input
Login
Register
FAQ
Search
