I’m currently facing a security issue with my mail server (NS8, Mail1 module). It appears to be under a brute force/enumeration attack. An unidentified entity, likely automated, is attempting various user credentials. Fortunately, the system has not been breached so far, but I am deeply concerned about the security of my setup.
Could someone advise on effective measures to address this issue? Is there a blacklist feature available within NethServer that I can leverage to enhance security?
In general there is not much to do as wait it out
to disencourage the bot you may close port 25 in your firewall temporally (the bot tries to log in on the smtp server)
Thank you very much for your prompt response, @mark_nl.
I have recently installed CrowdSec, but the issue came to my attention by chance. I was configuring email notifications on Proxmox and, in the process, accessed the logs. In general, what methods are available for receiving notifications in such situations?
Honestly, I am completely new to the CrowdSec tool. I installed it and enabled the remote dashboard. What should I do next? I selected my blacklists completely randomly…
As the attacks come (per log) from a single host, you could also just block anything from that single IP. using whatever firewall you’re using in front of NS8…
Would help until the bot owner realizes this and switches over to another bot, but I doubt he has that option.
So far, he didn’t use or tried it…
That is a bit ambiguous ;
You can set a smtp-host for notification in the cluster-admin Setting > Email notifications
The ambiguous part is if you have to set an smtp host if you want to use the smtp-host installed on the cluster. (I’m in a teststage so configured the smtp-host of the running NS7 box…)
In my opinion, this is not necessary. I am also testing NS8 here and have installed and configured the mail server function. In Nextcloud, I have stored the NS8 mail server for the notifications. That also works.
However, I would like to point out that NS8 is still beta despite all the temptation. So it can be quite risky to put it on the Internet with your bare butt.
@transocean, you are right. It can be quite risky to open NS8 to the internet, so I have decided to close all authentication methods and only use Roundcube for managing emails, at least for now.
