I see in the SMTP log constantly failing authentications from random IPs. Can an IP be automatically banned after few failed authentications?
I am using Axigen on Windows.
Thanks
Not from within Axigen. On Linux, you can use fail2ban, not sure if it’s been ported to Windows too.
Another alternative would be a monitoring tool, that’s capable of adding rules to windows firewall or any other firewall you use.
I found the one called RdpGuard I will give it a try or perhaps I will write something myself. I would have expected though that this is a part of the email server. This has been a problem for many years now. I remember having to deal with that perhaps 20 years ago when I was using the Microsoft SMTP Server.
I reopen discussion…
this is actual situation:
Random IP with different username… Fail2Ban can’t keep control…
“Authentications error” should Greylist or Blacklist the IP at 1st try!!!
Is it possible?
2025-02-17 11:49:30 +0100 02 sssr SECURITY:SMTP-IN;00000438;162.249.163.4;52907;OP_FAIL;bounce@sssr.it;;Authentication error;Account not found locally;
2025-02-17 12:04:27 +0100 02 sssr SECURITY:SMTP-IN;0000043C;218.68.0.210;54270;OP_FAIL;info@sssr.it;;Authentication error;Invalid password;
2025-02-17 12:04:41 +0100 02 sssr SECURITY:SMTP-IN;0000043D;197.242.170.10;52738;OP_FAIL;info@sssr.it;;Authentication error;Invalid password;
2025-02-17 12:17:46 +0100 02 sssr SECURITY:SMTP-IN;00000442;57.128.19.228;50860;OP_FAIL;default@sssr.it;;Authentication error;Account not found locally;
2025-02-17 12:17:51 +0100 02 sssr SECURITY:SMTP-IN;00000443;155.133.30.196;54734;OP_FAIL;default@sssr.it;;Authentication error;Account not found locally;
2025-02-17 12:45:59 +0100 02 sssr SECURITY:SMTP-IN;00000446;183.220.241.252;36058;OP_FAIL;backup@sssr.it;;Authentication error;Account not found locally;
2025-02-17 12:46:14 +0100 02 sssr SECURITY:SMTP-IN;00000447;171.244.63.34;59517;OP_FAIL;backup@sssr.it;;Authentication error;Account not found locally;
2025-02-17 13:14:10 +0100 02 sssr SECURITY:SMTP-IN;00000448;144.217.242.147;34492;OP_FAIL;buh@sssr.it;;Authentication error;Account not found locally;
2025-02-17 13:14:29 +0100 02 sssr SECURITY:SMTP-IN;00000449;102.164.194.205;56905;OP_FAIL;buh@sssr.it;;Authentication error;Account not found locally;
2025-02-17 14:11:46 +0100 02 sssr SECURITY:SMTP-IN;00000461;223.82.241.133;59514;OP_FAIL;dev@sssr.it;;Authentication error;Account not found locally;
2025-02-17 14:11:53 +0100 02 sssr SECURITY:SMTP-IN;00000462;136.169.144.176;57176;OP_FAIL;dev@sssr.it;;Authentication error;Account not found locally;
2025-02-17 14:40:10 +0100 02 sssr SECURITY:SMTP-IN;00000476;195.191.180.254;52748;OP_FAIL;staff@sssr.it;;Authentication error;Account not found locally;
2025-02-17 14:40:32 +0100 02 sssr SECURITY:SMTP-IN;00000477;27.124.18.27;58576;OP_FAIL;staff@sssr.it;;Authentication error;Account not found locally;
2025-02-17 15:09:18 +0100 02 sssr SECURITY:SMTP-IN;0000048A;79.21.191.178;39316;OP_FAIL;ceo@sssr.it;;Authentication error;Account not found locally;
2025-02-17 15:37:49 +0100 02 sssr SECURITY:SMTP-IN;00000494;183.234.63.179;60803;OP_FAIL;sys@sssr.it;;Authentication error;Account not found locally;
2025-02-17 16:06:30 +0100 02 sssr SECURITY:SMTP-IN;000004A1;27.125.174.202;59114;OP_FAIL;pr@sssr.it;;Authentication error;Account not found locally;
2025-02-17 16:06:53 +0100 02 sssr SECURITY:SMTP-IN;000004A2;49.124.153.32;42088;OP_FAIL;pr@sssr.it;;Authentication error;Account not found locally;
2025-02-17 16:35:21 +0100 02 sssr SECURITY:SMTP-IN;000004B1;185.194.205.158;40830;OP_FAIL;tech@sssr.it;;Authentication error;Account not found locally;
2025-02-17 16:35:47 +0100 02 sssr SECURITY:SMTP-IN;000004B2;166.195.193.83;54721;OP_FAIL;tech@sssr.it;;Authentication error;Account not found locally;
2025-02-17 17:03:38 +0100 02 sssr SECURITY:SMTP-IN;000004C0;42.200.70.134;48031;OP_FAIL;sale@sssr.it;;Authentication error;Account not found locally;
Hello,
Graylist or other “receiving” message specific protection (like SPF or DNSBL) could not be used for protecting against authentication abuse.
My advice is to disable authentication on port 25 (so you will keep it only for incoming messages received from other email services) and let it enabled only of the listener(s) you really need it (like 587 or/and 465) + re-configure your mail clients if you previousl used 25 for authentication purposes.
If you like to go on this idrection this could be easly done like:
WebAdmin > Security & Filtering > Acceptance & Routing > Advance Settings > Add new rule:
- Rule Name: disable-auth-on-port-25
- Condition: Local Address > Port = 25
- Actions:
** Authentication > SSL connections > disable all
** Authentication > Plain connections > disable all
and press Save Configuration.
Something like:
HTH,
Ioan
Tvm for suggestion… I tried to disable listener on port 25 but this block other features.
no, no and no !!!
listener 25 is mandatory for receiving messages from internet.
all you need to do is disabling authentication on that port (listener) so any brute force for authentication it will not be possible.
HTH,
Ioan
Tried … Past tense man 
I learned on my shoulder… 2 weeks ago after mail hack I disabled 25 port and understood the arcane.