I am used to lots of failed break-in attempts in the logs, but recently I’ve seen a different view of it.
I have a server, running on Sympl, that has a few dozen websites on it: the domains we host that don’t have mailboxes.
Despite the lack of mailboxes, EVERY day there are thousands, usually tens of thousands, of attempts to log in to mailboxes.
It seems such a pity there is no way to collect these login attempts and either divert them to a tarpit or to block the IPs.
I’m aware thst fail2ban is not compatible with Sympl (though not aware of why not).
Is there anything that can be done to impede this ‘door handle trying’ activity?
1 Like
I’ve put some rules in Exim’s connect acl to tackle this problem.
-
Refuse connection unless the IP coming in has a reverse IP address (a PTR record)
This is fairly reasonable, the mail system will refuse mail later on if the test for PTR is negative. Nearly all of the connects trying to crack passwords come from random machines that don’t have this setup.
-
Perhaps more dangerous is to do DNS Blacklist lookups in the Connect ACL Again there may be some false positives with this.
This is online at sympl-email-changes/exim4/sympl.d/10-acl/10-acl-check-connect at master · pcollinson/sympl-email-changes · GitHub. I’ve added a new whitelist file to permit sites past these checks. This may not be that necessary.
It also contains a section where it checks the IP address in the sympl or nftfw blacklist database.