Possibly I have a compromised server.
eg; at this time Nov 22 *04:54:31*, I can guarantee this person was
sleeping ( my wife )
Nov 22 *04:54:31* mail2 vpopmail[19559]: vchkpw-pop3: (PLAIN) login
success [email protected]:"myserverip"
So some how , something is logging in at that time.
There are many more accounts in the /var/log/maillog
I have prdered all accounts to change passwords or in 24 Hours , if they
fail to comply
I will run this on all email accounts
*/home/vpopmail/bin/vpasswd [email protected] -r*
-r means " random " the server creates a random 8 didgit password,
Number, Letters, Symbols, Upper and lower case
Some users have already requested a Generated password, so that should
be more secure.
So forward to getting a rebuilt server running Centos6
Thanks for all your input.
Dave M
On 11/21/13 7:11 PM, Angus McIntyre wrote:
Eric Shubert wrote:
I honestly don't understand fail2ban in any detail. I wonder though, if
perhaps it's set up such that if someone's authentication fails, then it
changes iptables such that nobody can attempt to authenticate any more
(like blocking port 587 for any address). That'd be pretty bad. :(
If you get a certain number of failed authentications from a particular IP
(usually 3 or 4), it will use iptables to ban that IP from connecting to
the port in question. So 'nobody' means 'nobody at that IP', not 'nobody
in the world'.
Incidentally, when I got tired of grinders trying to guess passwords on my
toaster, I banned a bunch of Chinese class C's (banning a surprisingly
small number took care of most of the attempts I was seeing) and added a
fail2ban filter that does an insta-kill (1 attempt is enough to invoke the
rule) on anything that tries to authenticate with a username that doesn't
include a domain name. That's been pretty effective.
Angus
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
