Re: [exim] automatically blacklisting clients that fail SMTP…

Góra strony
Delete this message
Reply to this message
Autor: lee
Data:  
Dla: exim-users
Temat: Re: [exim] automatically blacklisting clients that fail SMTP authentication
On Tue, Jun 07, 2011 at 09:58:20PM +0000, W B Hacker wrote:
> lee wrote:
> >Hi,
> >
> >is it possible to automatically blacklist clients that repeatedly fail
> >SMTP authentication? And if so, how is it done?
> >
>
> By 'clients' do you mean:
>
> - apparent break-in attempts


Obvious break-in attempts:

I´ve only recently enabled SMTP authentication so that I´m able to
send email via my cellphone. So far, I´m the only user who uses it,
and there aren´t going to be many more, if any. Today, I´ve seen a lot
of authentication attempts logged from two different IP addresses,
i. e. someone obviously trying to break in in order to use my server
to relay their messages.

Exim dropped the connections after so many failed non-mail commands:


[...]
2011-06-07 22:58:00 fixed_cram authenticator failed for (cmykhhz.com) [217.97.156.130]: 535 Incorrect authentication data
2011-06-07 22:58:01 SMTP call from (cmykhhz.com) [217.97.156.130] dropped: too many nonmail commands (last was "AUTH")


fixed_cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${if eq{$1}{foo}{bar}fail}


> And in any case, on which arrival port(s) and with which protocol?


SMTP protocol on port 25

> The problem should go away with no need to blacklist if you get the
> combination set optimally.


What I have in mind is to simply have exim deny connections (or all
auth attempts) from the IP in question after the authentication failed
so many times --- perhaps that´s a feature already built in?

If it´s not a built-in feature, perhaps I can make it so that exim
appends the IPs in question to some file which is used for a
blacklist. I wouldn´t even need to expire the IPs anytime soon :)

This must be a very common problem. Everyone offering email services
to remote clients and using SMTP authentication probably has it? It´s
pretty unlikely that someone manages to find out the authentication
information needed, yet there´s no point in letting them try as much
as they want. There have been 5038 failed auth attempts from only two
different IPs today, and I don´t like that.