Autor: Peter Datum: To: exim-users Betreff: Re: [exim] Drop smtp connection before authentication
Den 2009-07-20 3:12, Edison F Carbol skrev: > Hi,
>
> Is it possible to drop smtp connection before authentication per username?
> My server is congested with many attempts to authenticate with a deleted
> account.
Hi
i guess you could drop in HELO stage, based on a textfile of ip
addresses, like
deny condition =
${lookup{$sender_host_address}lsearch{banedip.txt}{yes}{no}}
and a cronjob to grep all bad ip's
grep "authenticator failed for.*" /var/log/exim4/mainlog -o | uniq -c |
grep "^\ *[0-9]\{2,4\} " | grep
"[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" -o > banedip.txt
(above baning ip where failed auth attempts >9)
on my system i grep a few other logfiles aswell, but i add the ip's this
script find to drop list in iptables, (less cputime used)
also on my system i have just now added
warn log_message = Possible hacked useraccount $authenticated_id
authenticated = *
sender_domains = !+local_domains
due to some (new?) virus/malware stealing my useres login.
so heads up