Block brute force attack from Plesk firewall
Issue: SMTP service has been receiving unauthorised brute force requests on the server
Update 1: Below logs have been found from the maillog on the server
May 15 12:13:44 host plesk_saslauthd[11425]: No such user '[email protected]' in mail authorization database
May 15 12:13:44 host plesk_saslauthd[11425]: failed mail authentication attempt for user '[email protected]' (password len=6)
May 15 12:13:44 host postfix/smtpd[10387]: warning: unknown[46.148.40.175]: SASL LOGIN authentication failed: authentication failure
May 15 12:13:44 host plesk_saslauthd[11425]: failed mail authentication attempt for user '[email protected]' (password len=6)
May 15 12:13:44 host postfix/smtpd[10387]: warning: unknown[46.148.40.175]: SASL LOGIN authentication failed: authentication failure
May 15 12:18:09 host plesk_saslauthd[11996]: No such user '[email protected]' in mail authorization database
May 15 12:18:09 host plesk_saslauthd[11996]: failed mail authentication attempt for user '[email protected]' (password len=8)
May 15 12:18:09 host postfix/smtpd[11184]: warning: unknown[80.94.95.242]: SASL LOGIN authentication failed: authentication failure
May 15 12:18:09 host plesk_saslauthd[11996]: failed mail authentication attempt for user '[email protected]' (password len=8)
May 15 12:18:09 host postfix/smtpd[11184]: warning: unknown[80.94.95.242]: SASL LOGIN authentication failed: authentication failure
Update 2: It is found from the log that the server was under brute-force attack from 46.148.40.0/24 & 80.94.95.0/24 range of IP address.
Resolution:
Step 1: Install the Plesk firewall extension as per the below KB:
https://support.plesk.com/hc/en-us/articles/12377540171799-How-to-install-Plesk-Firewall
Step 2: Click on the Plesk firewall extension & then click on the "+" sign to create a custom Plesk firewall rule.
Step 3: Create a custom firewall rule with denying SMTP connection on port "25" from the brute force IP ranges as per the below screenshot.
