A solution to protect my server

Virtualmin
1
SYSTEM INFORMATION
OS type and version Ubuntu Linux 20.04.6
Webmin version 2.105
Usermin version 2.005
Virtualmin version 7.9.0 Pro
Theme version 21.09.5
Package updates All installed packages are up to date

hello please I have a request if you can help me lately I have a problem it is that someone can access my server and of course to the domains that I already know my server and it sends spam emails and the provider blocks it port 25 and I have already tried fail2ban but after a few days the porate can access I don’t know how please if there is an idea with which I can protect myself against this kind of problem thank you very much

2

We never found out how the email is being sent in the first place, last time i tried to help you just showed bits of the mail log which was about 12 hours away from the time the incident happend. If there is nothing in the mail log ( as said before ) it’s most likely being sent from a web app or plugin of a web app you have installed. Just check all logs to find out what is going wrong

1 Like
3

I will give you some clues if it helps you so that my problem will be clear to you
even if I suspend the email that sends the emails it still sends 1000 emails per minute even if I suspend the domain completely the email still sends emails I activated the fail2ban and I still have the same problem if as if an intruder controls the mailing outside the postfix if it is the newspaper can you help you tell me how I can send it to you because I do not have the right to send here the text space it does not give me the possibility of sending all the text
thank you very much for your help friend

WhatsApp Image 2024-03-19 at 11.54.10 (2)
WhatsApp Image 2024-03-19 at 11.54.10 (2)1600×738 215 KB

WhatsApp Image 2024-03-19 at 11.54.10 (1)
WhatsApp Image 2024-03-19 at 11.54.10 (1)1600×474 58.9 KB

WhatsApp Image 2024-03-19 at 11.54.10
WhatsApp Image 2024-03-19 at 11.54.101600×1066 246 KB

Capture d'écran 2024-03-20 015350
Capture d'écran 2024-03-20 0153501395×280 17.6 KB

4

Mar 20 03:04:59 amanet dovecot: auth-worker(117378): pam(roni9@mobime.ma,202.82.20.241,<fFh5BA4Um9/KUhTx>): pam_authenticate() failed: Authentication failure (Password mismatch?)
Mar 20 03:04:57 amanet postfix/smtpd[112530]: disconnect from unknown[23.95.86.92] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:57 amanet postfix/smtpd[112530]: lost connection after AUTH from unknown[23.95.86.92]
Mar 20 03:04:57 amanet postfix/smtpd[112530]: warning: unknown[23.95.86.92]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:56 amanet dovecot: pop3(transit@emultec.ma)<117379>: Disconnected: Logged out top=0/0, retr=0/0, del=0/5580, size=2384802933
Mar 20 03:04:55 amanet dovecot: pop3-login: Login: user=transit@emultec.ma, method=PLAIN, rip=160.176.111.12, lip=173.212.244.42, mpid=117379, TLS, session=
Mar 20 03:04:53 amanet postfix/smtpd[112530]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:53 amanet postfix/smtpd[112530]: connect from unknown[23.95.86.92]
Mar 20 03:04:53 amanet postfix/smtpd[112530]: warning: hostname setily-bmpstnt.mutemeet.net does not resolve to address 23.95.86.92: No address associated with hostname
Mar 20 03:04:53 amanet postfix/smtpd[115745]: disconnect from unknown[23.95.86.92] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:53 amanet postfix/smtpd[115745]: lost connection after AUTH from unknown[23.95.86.92]
Mar 20 03:04:53 amanet postfix/smtpd[115745]: warning: unknown[23.95.86.92]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:49 amanet postfix/smtpd[115745]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:49 amanet postfix/smtpd[115745]: connect from unknown[23.95.86.92]
Mar 20 03:04:49 amanet postfix/smtpd[115745]: warning: hostname setily-bmpstnt.mutemeet.net does not resolve to address 23.95.86.92: No address associated with hostname
Mar 20 03:04:49 amanet postfix/smtpd[115305]: disconnect from unknown[23.95.86.92] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:49 amanet postfix/smtpd[115305]: lost connection after AUTH from unknown[23.95.86.92]
Mar 20 03:04:49 amanet postfix/smtpd[115305]: warning: unknown[23.95.86.92]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:45 amanet postfix/smtpd[112634]: disconnect from unknown[107.173.177.136] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:45 amanet postfix/smtpd[112634]: lost connection after AUTH from unknown[107.173.177.136]
Mar 20 03:04:45 amanet postfix/smtpd[112634]: warning: unknown[107.173.177.136]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:45 amanet postfix/smtpd[115305]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:44 amanet postfix/smtpd[115305]: connect from unknown[23.95.86.92]
Mar 20 03:04:44 amanet postfix/smtpd[115305]: warning: hostname setily-bmpstnt.mutemeet.net does not resolve to address 23.95.86.92: No address associated with hostname
Mar 20 03:04:42 amanet postfix/smtpd[112634]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:42 amanet postfix/smtpd[112634]: connect from unknown[107.173.177.136]
Mar 20 03:04:42 amanet postfix/smtpd[112634]: warning: hostname 107-173-177-136-host.colocrossing.com does not resolve to address 107.173.177.136: No address associated with hostname
Mar 20 03:04:41 amanet postfix/smtpd[112530]: disconnect from unknown[107.173.177.136] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:41 amanet postfix/smtpd[112530]: lost connection after AUTH from unknown[107.173.177.136]
Mar 20 03:04:41 amanet postfix/smtpd[112530]: warning: unknown[107.173.177.136]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:38 amanet postfix/smtpd[112530]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:38 amanet postfix/smtpd[112530]: connect from unknown[107.173.177.136]
Mar 20 03:04:38 amanet postfix/smtpd[112530]: warning: hostname 107-173-177-136-host.colocrossing.com does not resolve to address 107.173.177.136: No address associated with hostname
Mar 20 03:04:37 amanet postfix/smtpd[115745]: disconnect from unknown[107.173.177.136] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:37 amanet postfix/smtpd[115745]: lost connection after AUTH from unknown[107.173.177.136]
Mar 20 03:04:37 amanet postfix/smtpd[115745]: warning: unknown[107.173.177.136]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:33 amanet postfix/smtpd[115745]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:33 amanet postfix/smtpd[115745]: connect from unknown[107.173.177.136]
Mar 20 03:04:33 amanet postfix/smtpd[115745]: warning: hostname 107-173-177-136-host.colocrossing.com does not resolve to address 107.173.177.136: No address associated with hostname
Mar 20 03:04:24 amanet postfix/smtpd[111147]: disconnect from unknown[192.227.144.43] ehlo=1 auth=0/1 commands=1/2
Mar 20 03:04:24 amanet postfix/smtpd[111147]: lost connection after AUTH from unknown[192.227.144.43]
Mar 20 03:04:24 amanet postfix/smtpd[111147]: warning: unknown[192.227.144.43]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:21 amanet postfix/smtpd[111147]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:21 amanet postfix/smtpd[111147]: connect from unknown[192.227.144.43]
Mar 20 03:04:21 amanet postfix/smtpd[111147]: warning: hostname 192-227-144-43-host.colocrossing.com does not resolve to address 192.227.144.43: No address associated with hostname
Mar 20 03:04:20 amanet postfix/smtpd[111149]: disconnect from unknown[192.227.144.43] ehlo=1 auth=0/1 commands=1/2
Mar 20 03:04:20 amanet postfix/smtpd[111149]: lost connection after AUTH from unknown[192.227.144.43]
Mar 20 03:04:20 amanet postfix/smtpd[111149]: warning: unknown[192.227.144.43]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:17 amanet postfix/smtpd[111149]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:17 amanet postfix/smtpd[111149]: connect from unknown[192.227.144.43]
Mar 20 03:04:17 amanet postfix/smtpd[111149]: warning: hostname 192-227-144-43-host.colocrossing.com does not resolve to address 192.227.144.43: No address associated with hostname
Mar 20 03:04:15 amanet postfix/smtpd[111147]: disconnect from unknown[192.227.144.43] ehlo=1 auth=0/1 commands=1/2
Mar 20 03:04:15 amanet postfix/smtpd[111147]: lost connection after AUTH from unknown[192.227.144.43]
Mar 20 03:04:15 amanet postfix/smtpd[111147]: warning: unknown[192.227.144.43]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:15 amanet postfix/smtpd[115305]: disconnect from unknown[192.210.236.155] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:15 amanet postfix/smtpd[115305]: lost connection after AUTH from unknown[192.210.236.155]
Mar 20 03:04:15 amanet postfix/smtpd[115305]: warning: unknown[192.210.236.155]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:14 amanet postfix/smtpd[115553]: disconnect from unknown[196.191.150.228] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:14 amanet postfix/smtpd[115553]: lost connection after AUTH from unknown[196.191.150.228]
Mar 20 03:04:13 amanet postfix/smtpd[115553]: warning: unknown[196.191.150.228]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:13 amanet postfix/smtpd[111147]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:12 amanet postfix/smtpd[111147]: connect from unknown[192.227.144.43]
Mar 20 03:04:12 amanet postfix/smtpd[111147]: warning: hostname 192-227-144-43-host.colocrossing.com does not resolve to address 192.227.144.43: No address associated with hostname
Mar 20 03:04:12 amanet postfix/smtpd[115305]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:12 amanet postfix/smtpd[115305]: connect from unknown[192.210.236.155]
Mar 20 03:04:12 amanet postfix/smtpd[115305]: warning: hostname 192-210-236-155-host.colocrossing.com does not resolve to address 192.210.236.155: No address associated with hostname
Mar 20 03:04:12 amanet postfix/smtpd[111149]: disconnect from unknown[23.94.82.19] ehlo=1 auth=0/1 commands=1/2
Mar 20 03:04:12 amanet postfix/smtpd[111149]: lost connection after AUTH from unknown[23.94.82.19]
Mar 20 03:04:11 amanet postfix/smtpd[111149]: warning: unknown[23.94.82.19]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:09 amanet postfix/smtpd[111149]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:09 amanet postfix/smtpd[111149]: connect from unknown[23.94.82.19]
Mar 20 03:04:09 amanet postfix/smtpd[111149]: warning: hostname 23-94-82-19-host.colocrossing.com does not resolve to address 23.94.82.19: No address associated with hostname
Mar 20 03:04:08 amanet postfix/smtpd[111147]: disconnect from unknown[23.94.82.19] ehlo=1 auth=0/1 commands=1/2
Mar 20 03:04:08 amanet postfix/smtpd[111147]: lost connection after AUTH from unknown[23.94.82.19]
Mar 20 03:04:08 amanet postfix/smtpd[111147]: warning: unknown[23.94.82.19]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:07 amanet postfix/smtpd[112634]: disconnect from unknown[107.173.177.140] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:07 amanet postfix/smtpd[112634]: lost connection after AUTH from unknown[107.173.177.140]
Mar 20 03:04:07 amanet postfix/smtpd[112634]: warning: unknown[107.173.177.140]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:06 amanet postfix/smtpd[115524]: disconnect from unknown[183.236.9.133] commands=0/0
Mar 20 03:04:06 amanet postfix/smtpd[115524]: lost connection after CONNECT from unknown[183.236.9.133]
Mar 20 03:04:06 amanet postfix/smtpd[115524]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:06 amanet postfix/smtpd[115524]: connect from unknown[183.236.9.133]
Mar 20 03:04:05 amanet postfix/smtpd[111147]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:05 amanet postfix/smtpd[111147]: connect from unknown[23.94.82.19]
Mar 20 03:04:05 amanet postfix/smtpd[111147]: warning: hostname 23-94-82-19-host.colocrossing.com does not resolve to address 23.94.82.19: No address associated with hostname
Mar 20 03:04:05 amanet postfix/smtpd[111149]: disconnect from unknown[23.94.82.19] ehlo=1 auth=0/1 commands=1/2
Mar 20 03:04:05 amanet postfix/smtpd[111149]: lost connection after AUTH from unknown[23.94.82.19]
Mar 20 03:04:05 amanet postfix/smtpd[111149]: warning: unknown[23.94.82.19]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:04:03 amanet postfix/smtpd[115553]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:03 amanet postfix/smtpd[115553]: connect from unknown[196.191.150.228]
Mar 20 03:04:03 amanet postfix/smtpd[111149]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:02 amanet postfix/smtpd[111149]: connect from unknown[23.94.82.19]
Mar 20 03:04:02 amanet postfix/smtpd[111149]: warning: hostname 23-94-82-19-host.colocrossing.com does not resolve to address 23.94.82.19: No address associated with hostname
Mar 20 03:04:01 amanet postfix/smtpd[112634]: warning: connect to Milter service local:/var/run/milter-greylist/milter-greylist.sock: No such file or directory
Mar 20 03:04:01 amanet postfix/smtpd[112634]: connect from unknown[107.173.177.140]
Mar 20 03:04:01 amanet postfix/smtpd[112634]: warning: hostname 107-173-177-140-host.colocrossing.com does not resolve to address 107.173.177.140: No address associated with hostname
Mar 20 03:04:01 amanet postfix/smtpd[112530]: disconnect from unknown[107.173.177.140] ehlo=2 starttls=1 auth=0/1 commands=3/4
Mar 20 03:04:01 amanet postfix/smtpd[112530]: lost connection after AUTH from unknown[107.173.177.140]
Mar 20 03:04:01 amanet postfix/smtpd[112530]: warning: unknown[107.173.177.140]: SASL LOGIN authentication failed: authentication failure
Mar 20 03:03:57 amanet postfix/smtpd[115745]: disconnect from unknown[192.210.236.155] ehlo=2 starttls=1 auth=0/1 commands=3/4

5

First off delete the queue, queue will resend every 4 hour for many days.

use this command
postsuper -d ALL

In the mail log in the filter add this sasl_username=contact

that should show if you getting a smpt connect from that user if not sounds like a malicious script

are you running a Wordpress on that domain?
If so add Wordfence and run a scan, you can set a opeion to scan outside the wordpress area.

image
image722×226 14.6 KB

1 Like
6

thank you very much dear friend for the idea but believe me once I delete the waiting list in not even a minute the email box show in the photo order the new one to send emails and believe me even if I delete it or suspend it I always see on the postefix sending emails and something else I have no site on the server only miling space

7

But you need to delete all queued mail else it will continue to build.

8

the OP said this

so the emails are regenerating I would guess

9

Ok, I give up

1 Like
10

You have been given good advice on how to fix this problem. You need to take responsibility for the problem. It looks like you have a compromised system why don’t you delete the whole system, install a fresh version of the OS of your choice, reinstall virtualmin and not restore backups of your domains but create them from scratch, constantly checking the logs as you create a user etc

11

hello Mr really I appreciated your help but your idea is really not a solution it is a re-do for the same scenario because you have not given a solution for the problem it is simply you have extended the duration of the problem silk on that even after reinstating the server again and restoring the data I will experience the same scenario because I simply did not secure or stop the method with which I am hacked
and thank you very much

12

tnkyou bro :slight_smile:

13

If you restart from scratch you will find out the error. I would guess the root password will be different all user ssh keys will be gone (this means if someone has logging into your via ssh & planted malicious code their ability to do that will be gone and of course the malicious software also …

where in the hell did I mention that I suggested not restoring the data but starting from scratch (which if the translation software did not translate correctly means do not restore anything just do it all again) So therefore from doing that you will be in a totally different place

14

By the looks of your mail.log you having an attack on your submission port for sasl connection. They look to be dropping but the attempts need to be blocked on fail2ban end.

In your fail2ban.local add the following if it is not already listed for jails you are using.

[postfix-sasl]
enabled = true
filter   = postfix[mode=auth]
port = smtp,submission,imap,imaps,pop3,pop3s
maxretry = 1

Restart fail2ban

And continue purging the mail que. Sometimes it takes a few tries to rid them all.

2 Likes
15

I will suggest you learn a couple things to strengthen your email server.

For smtp connections on port 25: Learn how to setup postscreen on postfix.
Link: https://www.postfix.org/POSTSCREEN_README.html

For submission port head over to postfix.org and learn how to make your sasl connections a little more strict.
http://www.postfix.org/SASL_README.html

2 Likes
16

Merci beaucoup je vais voir les deux lien et reviens vers vous pour le résultat