I have had someone trying to gain access to two accounts on my server. One is my email address for my business, the other is the account I use to administer the Zimbra server 6.0.5. The second account is used ONLY to admin nothing else. This has been emanating mainly from China. I have OSSEC, but I also block the entire class a subnet in iptables. They turned up on another class a subnet and I block that, and so it goes. No other account out of hundreds on this server are ever attacked.

I resorted to changing the mailbox part of the admin account name to obscure letters and numbers since I don't use it for email. This hacker is monitoring me somehow because they immediately attack the new email address. They also are now attacking these two accounts from other countries (probably through computers they have gained access to).

How are they doing this? Some sort of sniffer program? I'm no security expert so I was looking for advice on how to protect my zimbra server from this persistent (over 6 months) of attacks targeted against me specifically. And now I suspect they are monitoring traffic between my IP and the servers IP. Should I access the admin web console strictly local using localhost address? I have physical access to the server.