suspicious login attempts in postfix log

[dahund]

hey all hope someone can help

Iam not really sure that i can do anything about it but it looks like a robot is trying to gain access to my mail server, i have alot of these in my log (not many but still enough so iam worried): i changed the "At sign"

Mar 14 01:29:23 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rochelle - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]
Mar 14 01:29:24 server1 pop3d: Connection, ip=[::ffff:124.93.236.162]
Mar 14 01:29:29 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rod - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]
Mar 14 01:29:30 server1 pop3d: Connection, ip=[::ffff:124.93.236.162]
Mar 14 01:29:36 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rodent - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]
Mar 14 01:29:37 server1 pop3d: Connection, ip=[::ffff:124.93.236.162]
Mar 14 01:29:43 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rodger - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]
Mar 14 01:29:44 server1 pop3d: Connection, ip=[::ffff:124.93.236.162]
Mar 14 01:29:51 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rodolphe - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]

Should i do anything ?? maybe change IMAP port ? using standard 143

[tdsan]

Mar 14 01:29:51 server1 pop3d: IMAP connect from "At sign" [::ffff:124.93.236.162]checkmailpasswd: FAILED: rodolphe - short names not allowed from "At sign" [::ffff:124.93.236.162]ERR: LOGIN FAILED, ip=[::ffff:124.93.236.162]

I would suggest doing 1 of two things.

Do a nslookup on the ip address and find out where it is coming from:

IP Address: 124.93.236.162

IP: 124.93.236.162
Decimal: 2086530210
Hostname: 124.93.236.162
ISP: China Unicom Liaoning province network
Organization: China Unicom Liaoning province network

The next thing I would do would be to do the following:

Code:

iptables -L -n --line-numbers | more

You should see if your firewall is up and running, next, if it is and you have a chain called INPUT, then run this command, if you don't have an INPUT chain, then look for the input chain or something similiar, something like rhel-version-input-chain, once you do that, just change the INPUT chain I have entered to the one you found

Code:

iptables -I INPUT 1 -p all -s 124.93.236.162 -m multiport --dport 443 -j DROP

or if you like you can just block everything from that ip address

Code:

iptables -I INPUT 1 -p all -s 124.93.236.162 -j DROP

I hope this helps.

Be sure to pay attention to to the chain rules.

Todd

[nplusplus]

Hi, Dahund,

Welcome aboard!

Have a look at fail2ban (Fail2ban) and OSSEC (OSSEC | OSSEC – Open Source Security). They can both block repeated attacks from the same IP. I think fail2ban is easier to setup, but OSSEC does other good things also. Either way, you will also need to run a firewall that both packages can manipulate, which will most likely be iptables, or ip6tables in your case.

N