Lastly I did a huge update on fail2ban to ban attacker on NS7, I don’t know, I’m not sure if fail2ban does its job well on ns6 for the email stack.
Could you please monitor some specific logs
in /var/log/imap for example
Apr 27 18:57:48 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=121.226.46.240, lip=207......, session=<+f+EZjBO4wB54i7w>
Apr 27 21:59:30 mail dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=115.127.82.34, lip=207......, session=<s9JN8DJONwBzf1Ii>
in /var/log/secure for example
Apr 24 19:35:50 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=reg...@fara.... rhost=1.162.76.76 user=regg...@far....
in /var/log/maillog for example
May 1 21:05:17 mail postfix/smtpd[17639]: connect from
unknown[125.211.128.241]
May 1 21:05:18 mail postfix/smtpd[17639]: lost connection after AUTH
from unknown[125.211.128.241]
Anyways you should look after all odd and repetitive lines
you can see if the fail2ban works by the command ‘fail2ban-listban’
of course a jail set to zero banned…it is not a good sign. After each service restart the statistics are set to zero.