[Exim] Dictionary attack defense

Top Page
Delete this message
Reply to this message
Author: Odhiambo G. Washington
Date:  
To: exim-users
Subject: [Exim] Dictionary attack defense
Hello all,

I am making an attempt at discouraging dictionary attacks (and I see many)
but there is some point of failure, which has left me stumped.


In RCPT acl, I have these rules:

# Deny, blacklist and teergrube if too many incorrect/bad recipients as that
# is a likely sign of a dictionary attack.

deny  message       = Max $rcpt_fail_count failed recipients allowed
      condition     = ${if > {${eval:$rcpt_fail_count}}{2}{yes}{no}}
      condition     = ${run{/usr/local/etc/exim/dictscan.pl $sender_host_address}{1}{1}}
      delay         = ${eval: ($rcpt_fail_count) * 30}s
      log_message   = Dictionary scan! $rcpt_fail_count failed recipient attempts



# If they added themselves to the file above, let's block them for Dict Scan!!!

deny  message       = REGRET_TEXT
      hosts         = /usr/local/etc/exim/dictscan.ips
      delay         = 150s



I use the attached script, which when tested in the CLI, gives

wash@ns2 ('tty') ~ 407 -> perl /usr/local/etc/exim/dictscan.pl 1.2.3.3
wash@ns2 ('tty') ~ 408 -> cat /usr/local/etc/exim/dictscan.ips

# Tue Sep 9 13:20:45 2003
1.2.3.3


In the logs I see this:

2003-09-09 13:09:03 H=(printerserver) [61.152.210.131] F=<umzu3mdy@???> \
rejected RCPT <muchene@???>: Dictionary scan! 3 failed recipient attempts


The part that leaves me stumped is why the script does not run!
When I run a debug test with one of the ips I get from the log, I see that the
rule is working, it even goes ahead to effect the delay, but never does it
put the offending IP in the file.

Of course the delay works so well, all I would like to find out is why the
{run{... fails


Log snippet:

>>> => that means 80.240.192.5 is not listed at orbs.dorkslayers.com
>>> warn: condition test failed
>>> processing "deny"
>>> check condition = ${if > {${eval:$rcpt_fail_count}}{2}{yes}{no}}
>>>                 = yes
>>> check condition = ${run{/usr/local/etc/exim/dictscan.pl $sender_host_address}{1}{1}}
>>>                 = 1
>>> check delay = ${eval: ($rcpt_fail_count) * 30}s
>>>             = 90s
>>> delay modifier requests 90-second delay




Thanks


        cheers
       - wash
+----------------------------------+-----------------------------------------+
Odhiambo Washington                     . WANANCHI ONLINE LTD (Nairobi, KE)  |
<wash at wananchi dot com>              . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223                 . # 10286, 00100 NAIROBI             |
GSM: (+254) 733 744 121                 . (+254) 020 313 985 - 9             |
+---------------------------------+------------------------------------------+
"Oh My God! They killed init! You Bastards!"
                         --from a /. post