Brute-Force Attack detected in service log on User(s) nologin, root

Tommyhara

Verified User
Joined
Jul 25, 2014
Messages
162
Hello,

I am getting more these

brutes.jpg

I blocked more IPs in ConfigServer Security & Firewall but seem it still doesn't stop.

What is the effective way to block these Brute-Force Attacks?


Thanks
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,146
Location
GMT +7.00
Hello,

Are those attacks done to SSH? If this is the case then change SSH 22 port to something else different. Then disable password-based authentication in SSH in favor of a key-based one.
 

Tommyhara

Verified User
Joined
Jul 25, 2014
Messages
162
I changed SSH port in the past.

Heres the content when clicked into these tickets

A brute force attack has been detected in one of your service logs.

User nologin has 378 failed login attempts: dovecot1=378

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404

A brute force attack has been detected in one of your service logs.

IP 218.107.213.89 has 51 failed login attempts: dovecot1=51
User nologin has 397 failed login attempts: dovecot1=397

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404
 

Zhenyapan

Verified User
Joined
Feb 23, 2018
Messages
114
Location
UA
Check where dovecot put it's error-log, it can be:
/var/log/messages
/var/log/dovecot*
/var/log/maillog
etc.
then in CSF/LFD configurations add/change log path
 
Top