While checking the mail log file, /var/log/maillog, on an email
server today, I noticed an attempted login from an IP address in an address
range I didn't recognize. The entry in the log file contained the following
text:
I checked the country associated with the 94.136.51.56 IP address
(ds7247.dedicated.turbodns.co.uk) with geoiplookup (you can install
the GeoIP package on a CentOS Linux system with yum install
GeoIP) and found it was an address assigned to an entity in
Great Britain.
$ geoiplookup 94.136.51.56 GeoIP Country Edition: GB, United Kingdom $
When I checked the Dshield page for the IP address at IP Info: 94.136.51.56, I found that others had also reported similar attempts at unauthorized access on the POP3 port, port 110.
External Threat Feeds
This data was retrieved from various external threat feeds
First Seen Last Seen Feed 2017-09-15 2017-09-22 Port 110 Scanner 2017-09-15 2017-09-22 Port 143 Scanner 2017-09-15 2017-09-21 Port 25 Scanner 2017-09-15 2017-09-22 Port 993 Scanner 2017-09-15 2017-09-22 courier imap attacker
I also found that espMail was listing the IP address at their espMail Banned IPs webpage for failed SMTP logins where they note:
These IPs are banned because they have been used in brute force attacks against us.
The most common type of brute force attack is an attempt to login via SSH. The second most common brute force attack is to login to a POP3 mail account.
espMail is a "small business that specialises in Internet mail solutions for other small businesses.
I checked the fail2ban
log on the system, but didn't see any entries for the IP
address there, but I did see 47 failed login attempts in today's
/var/log/maillog file.
# grep 94.136.51.56 /var/log/fail2ban.log # grep '94.136.51.56' /var/log/maillog | grep -c 'Login failed' 47 #
All of the login failures were for "Plaintext authentication disabled" entries.
Related articles: