On Mon, Jul 20, 2009 at 02:05:45PM -0300, Edison F Carbol wrote:
> My server is under a kind of attack. Lot of connections are trying to
> authenticate with the same username that doesn´t exist.
>
> I´d like to drop all connections from a specific username before smtp
> authentication or any layer above.
>
> Is it possible to get the username at acl_smtp_auth?
When you say "from a specific username", do you mean the SMTP AUTH username?
In general, you can't drop connections "from a username" without first
allowing the AUTH to proceed, so you know what the username is.
If your server is handling the load just fine anyway, I'd say do nothing. The
unwanted traffic will probably subside soon enough.
If it's *not* handling the load just fine, then the only suggestion I can
offer is to see if the same IPs are "attacking" again and again, and if they
are (and those IPs are *only* "attacking", they're not also performing
legitimate transactions), then block the offending IP addresses; either at
your firewall, or in acl_smtp_connect.
(acl_smtp_connect is probably easier to implement and could even be automated;
but each attacking connection still uses a non-negligible amount of server
resource).
--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey