Answer the question
In order to leave comments, you need to log in
How to deal with brute force attacks on an Exchange server?
A corporate Exchange 2007 server receives a huge number of requests with both random names (login selection) and existing names (login selection).
There are no addresses in the Exchange logs. Only the address and the reason for the failure are reported.
Ideally, add addresses to the blacklist, but, as I understand it, Exchange does not know how.
What can be done?
Answer the question
In order to leave comments, you need to log in
What will you do when the blacklist grows to 5GB and the employee's address is in the blacklist?
You need a brute-force password.
The simplest thing is to configure the fail2ban service on the router or gateway to the Internet or implement similar functionality. If there are more than N connections from a certain IP - block for 3-5 minutes. The attacks will end.
N pick up empirically.
I correctly understand, what your Exchange looks in the Internet directly? And MX points to it? Is that how it happened historically?
Put some kind of relay in front of Exchange, MX looks at the relay, between the relay and Exchange only port 25.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question