Email address under attack - some advise please

exlhost

exlhost

Verified User
Joined
Jan 13, 2017
Messages
240
Location
NL
Dear DA guru's and community

Had this once on a other box but this one is bigger
There is a bruut force attack of an email address on one of my boxes
It only tries to connect once with 1 ip address at a time and this is going on for a few days now.
Changed the firewall directly to block the ip after one failed login and the csf deny now already contains 1000+ blocked ip's from the last 2 days.
If anyone have great tips for me that would be great as these are always welcome. Already changed the password to stronger one each day for this email address.
I was wondering how safe are the random passwords in directadmin?

Thanks
 
Last edited:
If they already use only ip per try, it's not usefull to block wrong logins after 1 try already. With 1000+ blocked ip's in CSF it only makes your server slower.

I don't have experience with this but maybe you could write/apply a rule somewhere that only the owner's IP('s) is/are allowed to login to this mailbox and all others are blocked?
In case the owner happens to be on a different IP one day, he/she could always log in with webmail to check emails.
 
You won't be able to block them all.
I had attacks like these for days, coming from different ip addresses only doing 1 attempt at a time. Another time it was 2 or 3 attempts at a time.
Since it was no use to block all ip's which indeed wil only make your server slower as iptables lines increase, I came to the conclusion that it's best to ignore it.

The only thing is that it bothers you looking at the logs. It can take days or a couple of months and then it's quite again for some time. Or ftp attacks begin or whatever.
Only very seldom they manage to indeed bruteforce a password from some customer how made it too easy again, so I wouldn't worry about it.
 
Thanks for both reply's

I know im not able to block them all as this makes server slow after a few thousand.
Changed the password lenght from random passwords in directadmin as well. And teh password from targetted email address is very strong now.
It is 3 attempts at a time from different ip addresses, but now its not every 5 to 10 minutes anymore so it looks like it slowering at the moment

Thanks in advance
 
You must log in or register to reply here.
Back
Top