Judging by the IMAP log, we have recently been the subject of a brute force attack on our Mercury based IMAP server. The Mercury manual is a bit vague, but implies that steps are taken to temporarily (30 min) blacklist misbehaving IP addresses. There is an option to override the short term blacklist, but no description about what would trigger the block.
My concern is that there is no sign in the log that it is doing any blocking. Here is a short except:
Password failure, user 'website', from 59.167.127.168
Password failure, user 'wesley', from 120.151.142.86
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
Connection from 59.167.127.168, Sun Feb 21 04:13:14 2016
usa at 211.31.199.182: 1 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016
Password failure, user 'wanson', from 59.167.127.168
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
website at 59.167.127.168: 0 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016
wesley at 120.151.142.86: 0 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
Password failure, user 'webuser', from 211.31.199.182
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
Password failure, user 'vincent', from 59.167.127.168
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
wanson at 59.167.127.168: 1 sec. elapsed, connection closed Sun Feb 21 04:13:15 2016
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
Password failure, user 'waters', from 211.31.199.182
Password failure, user 'vanessa', from 211.31.199.182
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
webuser at 211.31.199.182: 1 sec. elapsed, connection closed Sun Feb 21 04:13:15 2016
Password failure, user 'video', from 211.31.199.182
this suggests that multiple password attempts have been permitted within a few seconds. The 3 IP addresses implicated in the attack caused about 2.4Mb of log similar to this excerpt in about 15 minutes.
So my questions are:
Is there a defence built in against a brute force attack on the IMAP server?
Is there any evidence from this log or elsewhere I could look, that it is actually working (or definitely not working)?
If it is not working, any suggestions to auto-block IP addresses that make repeated failed login attempts would be very welcome.
Many thanks for any help
<p>Judging by the IMAP log, we have recently been the subject of a brute force attack on our Mercury based IMAP server. The Mercury manual is a bit vague, but implies that steps are taken to temporarily (30 min) blacklist misbehaving IP addresses. There is an option to override the short term blacklist, but no description about what would trigger the block.</p><p>My concern is that there is no sign in the log that it is doing any blocking. Here is a short except:</p><p>Password failure, user 'website', from 59.167.127.168
Password failure, user 'wesley', from 120.151.142.86
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
Connection from 59.167.127.168, Sun Feb 21 04:13:14 2016
usa at 211.31.199.182: 1 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016
Password failure, user 'wanson', from 59.167.127.168
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
website at 59.167.127.168: 0 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016
wesley at 120.151.142.86: 0 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
Password failure, user 'webuser', from 211.31.199.182
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
Password failure, user 'vincent', from 59.167.127.168
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
wanson at 59.167.127.168: 1 sec. elapsed, connection closed Sun Feb 21 04:13:15 2016
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
Password failure, user 'waters', from 211.31.199.182
Password failure, user 'vanessa', from 211.31.199.182
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
webuser at 211.31.199.182: 1 sec. elapsed, connection closed Sun Feb 21 04:13:15 2016
Password failure, user 'video', from 211.31.199.182
</p><p>this suggests that multiple password attempts have been permitted within a few seconds. The 3 IP addresses implicated in the attack caused about 2.4Mb of log similar to this excerpt in about 15 minutes.</p><p>&nbsp;So my questions are:</p><p>Is there a defence built in against a brute force attack on the IMAP server?</p><p>Is there any evidence from this log or elsewhere I could look, that it is actually working (or definitely not working)?</p><p>If it is not working, any suggestions to auto-block IP addresses that make repeated failed login attempts would be very welcome.</p><p>Many thanks for any help
</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p>