Massive SMTP Brute Force Attack
I was wondering if anybody on the 18.104.22.168/16 netblock is noticing a massive, sustained SMTP brute force attack or if I'm the only one being targeted?
Most of the attempts are coming from Brazil, Poland and Czechia.
My mail server is completely secure: It only accepts AUTH requests from one IP address so there's zero chance of anybody actually logging in.
I'm also using fail2ban to keep track of them. Most attempts, for the last couple weeks, have been minutes to hours apart. But it has ramped up to 4-5 per minute bursts in the last few days and traffic sources are starting to spread out geographically.
So I'm not worried in the least but just wondering if I'm being singled out or if this particular campaign is a "wide" one.
Hi there -
Using Fail2Ban is a really good step in defending your Linode from Brute Force attacks. There are a few other things you can do as well, and I wanted to direct you to another post here in the Community that gives some good suggestions:
I wanted to draw your attention in the above-linked post specifically to the response given by our very own @watrick. You may be taking some or all of these steps currently, but I think that post is a valuable resource for anyone else who comes across this and is running into a similar issue.
As for you being the only one targeted, I checked and we haven't seen any other complaints about this today so it appears to be an isolated issue.
Since nobody can login to SSH or mail (other than me), I'm just using fail2ban to track them. I guess it has become a hobby now :-)
I sure would like to know if I'm the only one, though. I guess I could scan port 80 on 45.79/16 and contact some others in my neighborhood.
Scanning port 80 won't give you any information at all about a mail (SMTP) attack. Besides, port scans are not nice…and could land you in someone else's fail2ban(1) jail…or reported to Linode for abuse.
Scanning port 80 won't give you any information at all about a mail (SMTP) attack
Please keep in mind that I know exactly what I'm doing and don't need any lessons from the peanut gallery.
or reported to Linode for abuse
I highly doubt scanning for an open port 80 is rude or abusive. An open port 80 implies that they're hosting a website and are most likely serving from a domain. If they are, I can contact them and ask if they're experiencing the same thing I am.