Hello… I have been running a mail-in-a-box server for a little over 4 years now. I’m currently on v0.48 on Ubuntu 18.04.5
Recently my box has been getting a lot more attention. So I let the ban hammer fly in fail2ban. There are only 2 users on my box. This was working great with no problems.
But a couple of days ago I noticed brute force attempts coming from IP addresses that are physically co-located on the same host server as my box. eg if I’m on ip 111.222.111.5 the attacks are coming from 111.222.111.8 and the whois matches my host. I reported it to my host of course.
But now is the problem and I’m not sure it’s even a problem. I woke up to emails from G Suite team stating welcome to G Suite etc etc. And please verify your domain etc. I opened a support ticket asking Google to ban this account and to not let it go through. They stated as long as they can’t verify the domain Google will auto delete the account after 9 days. Fair enough.
So my question (because I don’t know what I don’t know) What are all the ways they could verify the ownership of my domain?
I bought my domain from a major registrar but my box is hosted by the first recommended host in the mailinabox setup. So I’m just a drop in the bucket…so to speak.
Where do I need to look and tighten security so they can’t verify the domain and activate G Suite. This is all a foreign language for me. I’m very Linux savvy but I am NOT intelligent at all when it comes to DNS, nameservers, mx records etc.
Everything still seems to be running perfectly and securely, I just want to be sure I don’t do something that could allow them to verify and then route all emails through their G Suite account.
Only one domain. And correct, as far as I know it’s only them trying to redirect the MX records to Google G suite.
But I have no idea how mail-in-a-box handles the dns and mx records internally and what would someone have to do to gain access to that? I’m fairly confident that my login and glue records at my registrar are safe with TOTP. I’m fairly confident that my host login is safe with 2FA. I’m fairly certain my server ssh is locked down with no root no password and ip whitelist. I’m just not sure if there is another way for them to “verify” the domain to gain control e.g. the admin control panel on the box. This is all new to me.
Since mail-in-a-box does dns and mx records internally could they redirect within the box.xyz.com/admin panel if they gained access to it? And are there any other ways other than my registrar or host to redirect the mx records.
I’m just worried about what I don’t know. And just trying to nail down all the ways they could possibly change the dns and or mx records.
This is why there should be an option to specify admin url and webmail url to use at the time of installation. Admin page is open to brute force attacks, hopefully this will be implemented soon.
I think one of the main vulnerabilities could be NextCloud or the WEB access.
So maybe block access/restrict (per IP address) 80/443 ports and see who and how is that offending IP trying to connect.
I have found interesting project run by the CZ NIC called Honeypot as a Service (HaaS) https://haas.nic.cz/
maybe give it a try as well.
As a suggestion, you can add iptables rule at the top iptables, before ufw. See info to how adding GeoIPrules, should be good to add a rule before ufw to allow only ssh and web acces to ips from your country. I’m using in some VPS and is very effective. (Remember to add a script an cron with @reboot and take care to won’t ban you)