Illegal exim2 login attempts
 

My server logs show many more failed attempts to login to exim2 than attempts at SSH.

What would they do if they succeeded? I'm guessing they could send email that appeared to come from us. Is that right? (CentOS, Dovecot on dedicated server)

Yes, if they are able to guess a username / password combination, i,e. a valid set of login credentials, for your email system, they will be able to send mail via that account. Until you change the password, that is, but then they will still have half of the credentials (the name).

I would suggest trying fail2ban, which will monitor the log file and temporarily block their access to your server via IPTables. You can configure the number of login failures allowed and how long the ban period lasts. This is usually enough of a deterrent to cause the person or script making the attempt to go away.

Thanks Noway2.

There are only 3 usernames: admin, abuse, and one other. Abuse wouldn't make much sense to send from and all have different 17 char passwords.

Attempts are throttled to not more than 4 per minute by a conditional in iptables.

I monitor via logwatch and DirectAdmin Brute force monitor, and block via iptables if any of the fiends are very persistent.

So I think we're safe but I was curious why they so much want to do this. :cool: