Jean-Philippe,
Thank you - I will set Findtime and Bantime higher in fail2ban and see if it catches more IPs.
Does setting E-mail settings - IMAP server access - to local - block port 465 to the external world/interface ?
the change on
IMAP will do nothing on your /var/log/sqp
smtpd/current logged attack on port 465, it will only only on the IMAP service logged there /var/log/dovecot/current
do you have any user using email outside of your lan ?
if you want to remove those attacks totally, you have to disable authentication on port 465 and on port 25 for public.
the panel only allow you to:
- disable auth completely for smtp (25) and smtps (465) both on public and private side (internet and lan)
- allow auth on both on public and private sides
- allow auth only on port 465 on public and private side
config setprop sqpsmtpd access private
config setprop qpsmtpd Authentication disabled
signal-event email-update
while I do not recommend, will prevent auth from outside by closing port 465 and removing auth from port 25 while leaving auth on port 465 from lan and incoming email from internet on port 25.
then if you want to limit other password bruteforce, disable pop and imaps from public (internet) and do not allow webmail from public (internet)
of course you will isolate your users who want to access emails when away from the lan...
so the best answer would be strong passwords, and better fail2ban rules
grep ' authentication failure for: ' /var/log/sqpsmtpd/current -A 1 |tai64nlocal |grep ' ` '| awk '{ print $7 }'|sort|sort -u| grep ' authentication failure for: ' /var/log/sqpsmtpd/current -A 1 |tai64nlocal |grep ' ` '| awk '{ print $7 }'|sort|sort -u| xargs -n 1 geoiplookup { } | grep ' Country Edition' | sort | uniq -c | sort
176 GeoIP Country Edition: US, United States
2 GeoIP Country Edition: IP Address not found
30 GeoIP Country Edition: CA, Canada
So IPs from US and Canada and no one else.
you should move to geoip2 db, geoip were only 80% accurate in april 2018 and were not updated since.
it is probable that your results are not accurate
here is a little script to allow touse the new mmdblookup like we were used to with geoiplookup
you need to install libmaxminddb-devel from epel
cat bin/geoiplook
#!/bin/bash
for var in "$@"
do
/usr/bin/mmdblookup --file /usr/share/GeoIP/GeoLite2-Country.mmdb --ip $1 country iso_code |cut -d\" -f2| tr -d '\n'
echo ""
done