I keep seeing this over and over again and would like to stop it before it gets to postfix. [code] netfilter-mailcow-1 | 200.37.179.83 matched rule id 3 (warning: unknown[200.37.179.83]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=shannon.kersh@dccathome.com) netfilter-mailcow-1 | 1 more attempts in the next 600 seconds until 200.37.0.0/16 is banned netfilter-mailcow-1 | 115.62.236.28 matched rule id 3 (warning: unknown[115.62.236.28]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=shannon.kersh) [/code] Now I see this. It might be a completely different issue: [code] netfilter-mailcow-1 | Exception in thread Thread-2 (autopurge): netfilter-mailcow-1 | Traceback (most recent call last): netfilter-mailcow-1 | File "/usr/lib/python3.11/threading.py", line 1045, in _bootstrap_inner netfilter-mailcow-1 | self.run() netfilter-mailcow-1 | File "/usr/lib/python3.11/threading.py", line 982, in run netfilter-mailcow-1 | self._target(*self._args, **self._kwargs) netfilter-mailcow-1 | File "/app/main.py", line 283, in autopurge netfilter-mailcow-1 | MAX_ATTEMPTS = int(f2boptions['max_attempts']) netfilter-mailcow-1 | ~~~~~~~~~~^^^^^^^^^^^^^^^^ netfilter-mailcow-1 | KeyError: 'max_attempts'' [/code]

Best way to block username attack?

maybl8

I keep seeing this over and over again and would like to stop it before it gets to postfix.

netfilter-mailcow-1  | 200.37.179.83 matched rule id 3 (warning: unknown[200.37.179.83]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=shannon.kersh@dccathome.com)
netfilter-mailcow-1  | 1 more attempts in the next 600 seconds until 200.37.0.0/16 is banned
netfilter-mailcow-1  | 115.62.236.28 matched rule id 3 (warning: unknown[115.62.236.28]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=shannon.kersh)

Now I see this. It might be a completely different issue:

netfilter-mailcow-1  | Exception in thread Thread-2 (autopurge):
netfilter-mailcow-1  | Traceback (most recent call last):
netfilter-mailcow-1  |   File "/usr/lib/python3.11/threading.py", line 1045, in _bootstrap_inner
netfilter-mailcow-1  |     self.run()
netfilter-mailcow-1  |   File "/usr/lib/python3.11/threading.py", line 982, in run
netfilter-mailcow-1  |     self._target(*self._args, **self._kwargs)
netfilter-mailcow-1  |   File "/app/main.py", line 283, in autopurge
netfilter-mailcow-1  |     MAX_ATTEMPTS = int(f2boptions['max_attempts'])
netfilter-mailcow-1  |                        ~~~~~~~~~~^^^^^^^^^^^^^^^^
netfilter-mailcow-1  | KeyError: 'max_attempts''

esackbauer

Why you want to stop it? Netfilter will eventually block it, thats its job. And you don’t want to punish legit users that enter a wrong/old password a couple of times in a row.
The other thing seems to relate to “autopurge” which unbans IPs after a certain amount of time.

maybl8

Since he is not a legitimate user and keeps trying from it seems like all different ip addresses . I wouldn’t mind banning each ip address he tries to use permanently if there was an automated way to do that.
I know it is doing its job but what if there were dozens of these kinds of attempts going on wouldn’t that put a strain on the server?

esackbauer

No, not that I am aware of. I undertake no further action and let netfilter do its job. I can see a lot of login attempts but this is barely noticeable, my CPU is always at 2-5%. In the 1,5 years I run mailcow I never experienced any strain because of this. I have more headaches about legit iOS users on ActiveSync 😉

maddler

Agree, that’s pretty much standard noise. I’ve seen quite a lot of similar behaviours lately though, with the brute force for a specific user coming from a wide number of IPs which would no trigger F2B. But, as I said, that’s pretty much background noise you can easily ignore.