| How is your dovecot and mta (assuming postfix?) setup in regards to client and sender verification? Is it an open relay? If so, you should deactivate it because your server is spamming then. Most bots also go through dictionaries and try to send dummy emails to specific account names first, so verifying that the domain is the only one accepting emails helps a lot to mitigate against the noise. Any email not containing an FQDN should be blocked I'd also recommend to create a local block list (e.g. /etc/hosts.deny for ssh or a postmap file for postfix) so that you can block those actors. If you don't know how to do that, I included a short howto in my postfix-spamdb [1] project where I maintain spammers targeting my email addresses. Regarding ssh pw auth, I wouldn't recommend fail2ban because it's a very very buggy software and a lot of RCEs have been discovered in the past, but I would recommend a tool that blocks auths from at least other countries where you are not connecting from. If you want to be safe, use TOR and a hidden domain to connect to your ssh daemon, and make ssh listen only on localhost. Careful though, it's not beginner friendly in case tor can't connect and you need to know what you are doing. As my startup's EDR agent overlaps with those features I'm biased and not gonna recommend tools here. Don't wanna spam. For private use there's the sshpwauth block list from dataplane which you can use to generate a good enough block list [2]. [1] https://github.com/cookiengineer/postfix-spamdb [2] https://dataplane.org/sshpwauth.txt |