Brute-Force Attack detected in service log on User(s) nologin, root

Tommyhara

Verified User
Joined
Jul 25, 2014
Messages
187
Hello,

I am getting more these

brutes.jpg

I blocked more IPs in ConfigServer Security & Firewall but seem it still doesn't stop.

What is the effective way to block these Brute-Force Attacks?


Thanks
 
Hello,

Are those attacks done to SSH? If this is the case then change SSH 22 port to something else different. Then disable password-based authentication in SSH in favor of a key-based one.
 
I changed SSH port in the past.

Heres the content when clicked into these tickets

A brute force attack has been detected in one of your service logs.

User nologin has 378 failed login attempts: dovecot1=378

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404


A brute force attack has been detected in one of your service logs.

IP 218.107.213.89 has 51 failed login attempts: dovecot1=51
User nologin has 397 failed login attempts: dovecot1=397

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404
 
Check where dovecot put it's error-log, it can be:
/var/log/messages
/var/log/dovecot*
/var/log/maillog
etc.
then in CSF/LFD configurations add/change log path
 
it seems that BFM-Tickets get delivered to any user in DA. That might confuse users. Is there a way to set config to only send such tickets to ADMIN ?
 
it seems that BFM-Tickets get delivered to any user in DA. That might confuse users. Is there a way to set config to only send such tickets to ADMIN ?
I have never seen it get sent to users, only admins.
 
Back
Top