Re: [exim] Taming bruteforce auth attacks

Page principale
Supprimer ce message
Répondre à ce message
Auteur: W B Hacker
Date:  
À: exim users
Sujet: Re: [exim] Taming bruteforce auth attacks
Lena@??? wrote:
> Hi,
>
> Does following look reasonable? The "2" is because of
> http://www.exim.org/lurker/message/20031019.140442.419ec907.en.html
>
> acl_check_auth:
>   drop message = authentication is allowed only once per message in order \
>                  to slow down bruteforce cracking
>        condition = ${if def:acl_m_auth}
>        condition = ${if >{$acl_m_auth}{2}}
>        delay = 20s

>
>   warn condition = ${if !def:acl_m_auth}
>        set acl_m_auth = 0

>
> accept set acl_m_auth = ${eval:$acl_m_auth+1}
>
>


Not relevant to the acl snippet, but w/r 'brute force' auth cracking
attempts in general:

- have you first insured that your own client submission requires auth
and that auth cannot be done on port 25, but rather only on port 587?

- are you forcing (at least) TLS-only on port 587, with no fallback to
unencrypted?

If so, and you *still* see significant attacks, (tcpdump?) then:

- are they from random sources?

- or are they perhaps a directed attack from a small lot of IP's that
you could fully or partially block with firewall rules?

We take a further step (CAVEAT - flames may follow) and run the older
SSL-only protocol once implemented on port 465, but on port 587 instead.

Most MUA are easily set to SSL-only and port 587, even though not the
default.

Result - no significant attempts to break-in. Near-as-dammit zero.

Which - aside from not iritating Exim, reduces bandwidth consumption.

HTH,

Bill