Community Discussions and Support
IMAP server protection against brute force login attack

Judging by the IMAP log, we have recently been the subject of a brute force attack on our Mercury based IMAP server. The Mercury manual is a bit vague, but implies that steps are taken to temporarily (30 min) blacklist misbehaving IP addresses. There is an option to override the short term blacklist, but no description about what would trigger the block.

My concern is that there is no sign in the log that it is doing any blocking. Here is a short except:

Password failure, user 'website', from 59.167.127.168
Password failure, user 'wesley', from 120.151.142.86
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
Connection from 59.167.127.168, Sun Feb 21 04:13:14 2016
usa at 211.31.199.182: 1 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016
Password failure, user 'wanson', from 59.167.127.168
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
website at 59.167.127.168: 0 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016
wesley at 120.151.142.86: 0 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
Password failure, user 'webuser', from 211.31.199.182
Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016
Password failure, user 'vincent', from 59.167.127.168
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
wanson at 59.167.127.168: 1 sec. elapsed, connection closed Sun Feb 21 04:13:15 2016
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
Password failure, user 'waters', from 211.31.199.182
Password failure, user 'vanessa', from 211.31.199.182
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016
webuser at 211.31.199.182: 1 sec. elapsed, connection closed Sun Feb 21 04:13:15 2016
Password failure, user 'video', from 211.31.199.182

this suggests that multiple password attempts have been permitted within a few seconds. The 3 IP addresses implicated in the attack caused about 2.4Mb of log similar to this excerpt in about 15 minutes.

 So my questions are:

Is there a defence built in against a brute force attack on the IMAP server?

Is there any evidence from this log or elsewhere I could look, that it is actually working (or definitely not working)?

If it is not working, any suggestions to auto-block IP addresses that make repeated failed login attempts would be very welcome.

Many thanks for any help

 

 

 

<p>Judging by the IMAP log, we have recently been the subject of a brute force attack on our Mercury based IMAP server. The Mercury manual is a bit vague, but implies that steps are taken to temporarily (30 min) blacklist misbehaving IP addresses. There is an option to override the short term blacklist, but no description about what would trigger the block.</p><p>My concern is that there is no sign in the log that it is doing any blocking. Here is a short except:</p><p>Password failure, user 'website', from 59.167.127.168 Password failure, user 'wesley', from 120.151.142.86 Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016 Connection from 59.167.127.168, Sun Feb 21 04:13:14 2016 usa at 211.31.199.182: 1 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016 Password failure, user 'wanson', from 59.167.127.168 Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016 website at 59.167.127.168: 0 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016 wesley at 120.151.142.86: 0 sec. elapsed, connection closed Sun Feb 21 04:13:14 2016 Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016 Password failure, user 'webuser', from 211.31.199.182 Connection from 211.31.199.182, Sun Feb 21 04:13:14 2016 Password failure, user 'vincent', from 59.167.127.168 Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016 wanson at 59.167.127.168: 1 sec. elapsed, connection closed Sun Feb 21 04:13:15 2016 Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016 Password failure, user 'waters', from 211.31.199.182 Password failure, user 'vanessa', from 211.31.199.182 Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016 Connection from 120.151.142.86, Sun Feb 21 04:13:15 2016 webuser at 211.31.199.182: 1 sec. elapsed, connection closed Sun Feb 21 04:13:15 2016 Password failure, user 'video', from 211.31.199.182 </p><p>this suggests that multiple password attempts have been permitted within a few seconds. The 3 IP addresses implicated in the attack caused about 2.4Mb of log similar to this excerpt in about 15 minutes.</p><p> So my questions are:</p><p>Is there a defence built in against a brute force attack on the IMAP server?</p><p>Is there any evidence from this log or elsewhere I could look, that it is actually working (or definitely not working)?</p><p>If it is not working, any suggestions to auto-block IP addresses that make repeated failed login attempts would be very welcome.</p><p>Many thanks for any help </p><p> </p><p> </p><p> </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft