Hi All,
If any IMAP and POP3 authentication fails constantly with the mail clients it may be the DOS attack.
We can check any accounts that is locked due to excessive login failures in cPHulk protection if enabled.
WHM Home » Security Center » cPHulk Brute Force ProtectionIt can be also analysed by
WHM Home » Service Configuration » Mailserver Configurationwe can use the following command to check large number of authentication failures per ip address.
# awk ‘/auth failed/ {for (i=1;i<=NF;i=i+1) if ($i~/rip/) print $i}’ /var/log/maillog |sort|uniq -c|sort -n| tail
We can block large requests in the CSF firewall by
# csf -d <ipaddress>Thanks
