NethServer Version: 7.9
Module: fail2ban
Recently I’m getting some new techniques of hacking/intrusion-attempts attacks into my email server… the attacker seems to keep changing the ips and target different system modules, making the fail2ban filter settings ineffective.
See Log Sample below:
I get hundreds of attacks like above… the attacker keep switching IPs and hit each email modules one at a time…
Wondering if there’s any suggestion how to stop or filter such kind of IP attacks.
I noticed the attacker uses a same and multiples email addresses ( in reviewing the secure logs ) but switching to different IPs to send or logins ie junji.inukai@domain.name etc… so I create a RSpamd rule to block those emails and seems to resolve the attacks for the moment.
Every row of this output is an attack stopped from fail2ban. You could also trigger harsher reactions, enabling permaban or triggering faster the ban reaction, but it won’t block the connection try from external services.
Adding more modules (like blackslists) will move the log of the attack from fail2ban to these kind of tool.
Currently Nethserver does not implement geo-ip filtering (which could restrict the access to some services only for IP located presumably in nations you allow), however the external systems will keep trying to connect.
So.
Are you gonna report to the owner of every ip that the connection is trying to abuse your server?
Thank you for the suggestion… I found the attacker is using a FAKE email address ( multiple of them ) and switching or rotating the IPs… I put a BLACKLIST on those email addresses. so far seems to work.
Will keep watching the problem.
