Page 1 of 1

qmail submission-login brute force

Posted: 16 Sep 2021, 10:56
by ServerDude
Good Morning,

We're running Interworx servers with qmail and have noticed that submission-logins aren't being blocked. Below is what the log entries look like in dovecot.log

Sep 15 11:01:23 submission-login: Info: Remote closed connection (auth failed, 1 attempts in 3 secs): user=, method=LOGIN, rip=, lip=, TLS, session=

We can sometimes see a few hundred attempts an hour from a single IP. Is there a regex for this type of attack?

Re: qmail submission-login brute force

Posted: 18 Sep 2021, 05:41
by Sergio
Hi.
You can create your own regex that should be written at /usr/local/csf/bin/regex.custom.pm

That is a nice way to block anything.