I have noticed in my tail -f /var/log/mail.log
that someone is attempting to log via imap to my MIAB server with login credential that I host somewhere else myotherdomain.co.uk instead of myotherdomain.uk
imap-login: Info: Disconnected (auth failed, 1 attempts in 5 secs): user=name@myotherdomain.co.uk, method=PLAIN, rip=5.188.11.11, lip=xxx.xxx.xxx.xxx, TLS, session=<cAUMhbNc/wAFvAsL>
So I am curios, is there any way to find out what passwords are used to authenticate?
I have as well try blocking the whole subnet (rule 25), but still seeing this in mail.log,
so ufw should have blocked it …
root@box:~# sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 53 ALLOW IN Anywhere
[ 3] 25/tcp ALLOW IN Anywhere
[ 4] 587 ALLOW IN Anywhere
[ 5] 993 ALLOW IN Anywhere
[ 6] 995 ALLOW IN Anywhere
[ 7] 4190/tcp ALLOW IN Anywhere
[ 8] 80 ALLOW IN Anywhere
[ 9] 443 ALLOW IN Anywhere
[10] Anywhere DENY IN 103.199.161.40
[11] Anywhere DENY IN 118.68.57.80
[12] Anywhere DENY IN 211.72.217.11
[13] Anywhere DENY IN 181.192.60.23
[14] Anywhere DENY IN 182.72.206.74
[15] Anywhere DENY IN 92.207.194.176
[16] Anywhere DENY IN 89.248.162.247
[17] Anywhere DENY IN 91.208.99.2
[18] Anywhere DENY IN 208.100.26.233
[19] Anywhere DENY IN 210.65.114.3
[20] Anywhere DENY IN 164.132.206.86
[21] Anywhere DENY IN 61.69.108.150
[22] Anywhere DENY IN 5.188.11.11
[23] Anywhere DENY IN 89.146.35.189
[24] Anywhere DENY IN 117.54.4.124
[25] Anywhere DENY IN 5.188.86.0/24
[26] Anywhere DENY IN 187.183.168.89
[27] 22 (v6) ALLOW IN Anywhere (v6)
[28] 53 (v6) ALLOW IN Anywhere (v6)
[29] 25/tcp (v6) ALLOW IN Anywhere (v6)
[30] 587 (v6) ALLOW IN Anywhere (v6)
[31] 993 (v6) ALLOW IN Anywhere (v6)
[32] 995 (v6) ALLOW IN Anywhere (v6)
[33] 4190/tcp (v6) ALLOW IN Anywhere (v6)
[34] 80 (v6) ALLOW IN Anywhere (v6)
[35] 443 (v6) ALLOW IN Anywhere (v6)