Thanks and yes, submission has been hacked also of course, but for some reason, I see the brute force attempts directed only against smtps (at least during the past days). As I don't use it, it's better to disable it as then I need only to monitor submission. Changing passwords has been of course done.
When following the fail2ban instructions one command failed: # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date` cp: target '2022' is not a directory Also in the qmail-smtp-authnotavail filter I see the following entry: logpath = /var/log/qmail/smtptx/current -> I don't have a such log file, is there a typo in the path? I had to disable that filter as fail2ban refuses to start with it. Best, Peter On Wed, Nov 2, 2022 at 5:27 AM Eric Broch <ebr...@whitehorsetc.com> wrote: > And, the instruction on fail2ban should work fine. Submit questions to > list. > On 11/1/2022 8:38 PM, Remo Mattei wrote: > > I would change all the passwords. > > Remo > > -- > Mandato da iPhone > > On martedì, nov 01, 2022 at 14:44, Eric Broch <ebr...@whitehorsetc.com> > wrote: > # qmailctl stop > > # touch /var/qmail/supervise/smtps/log/down > > # touch /var/qmail/supervise/smtps/down > > # qmailctl start > > # qmailctl stat > > But, if they've hacked smtps then they've also hacked submission; right? > > > On 11/1/2022 1:10 PM, Peter Peltonen wrote: > > Hi, > > I had an email account password guessed through auth attempts via smtps. > > I did not realize this as I had forgotten I had it enabled at all. I > was looking at the submission log and scratching my head not > understanding how messages got to the remote queue without anything in > the submission log, until I realized smpts was enabled and it was > logging to /var/log/maillog and not to any log under /var/log/qmail... > > My first question: is it safe to disable smtps, I guess I don't need > it for anything as all my users should be using 587/submission instead? > > Second question: How do I disable it? Should I just > remove /var/qmail/supervise/smtps/run file? And/or block it at > firewall level? > > Third question: to prevent brute force attacks, is fail2ban the best > option to do it? I just follow the instructions at > http://www.qmailtoaster.com/fail2ban.html ? > > Best, > Peter > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > >
