Re: [Exim] Teergrub/Dictionary Attack?

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Tony Earnshaw
Data:  
Para: exim-users
Assunto: Re: [Exim] Teergrub/Dictionary Attack?
Cory Daehn wrote:

> My server has been tied up with connections from servers attempting to do
> dictionary attacks for most of the last 24 hours, eating up my disk space
> with reject logs and wasting my bandwidth... Here is what I would like to
> do, and hope there's an FAQ or HOWTO or something that can help me... I'm
> running Exim 4.22 with Exiscan-ACL...
> I would like to allow no more than 10 invalid recipients per connection.


I thought this was FAQ by now. You can :)

> After each invalid recipient, take a minute longer to respond... up to 10
> minutes before finally dropping the connection.


You can set your own time.

> Exim version 4.22 #1


Same here.

> After dropping a connection due to invalid recipients, refuse
> connections from that IP address for 4-6 hours.


For that bit you'd have to write your own script (firewall?). However,
what Exim does already is better than "The Other MTA":

ACLs, under acl_check_rcpt:

# Deny and teergrube if too many wrong recipients

   deny  message         = Max $rcpt_fail_count failed recipients allowed
         condition       = ${if >{$rcpt_fail_count}{10} {1}}
         ! verify        = recipient
         delay           = ${eval: ($rcpt_fail_count) * 60}s
         log_message     = $rcpt_fail_count failed recipient attempts


--Tonni

--
Tony Earnshaw

Looking backwards is always easy with hindsight

http://www.billy.demon.nl
Mail: tonni@???