Re: [exim] automatically blacklisting clients that fail SMTP…

Góra strony
Delete this message
Reply to this message
Autor: Dave Lugo
Data:  
Dla: lee
CC: exim-users
Temat: Re: [exim] automatically blacklisting clients that fail SMTP authentication
(forgive the top-posting)

a few possibilities come to mind:

. using ratelimit in exim
. parsing logs and writing to some 'reject-ip' file that exim would
consult
. using fail2ban

On Wed, 8 Jun 2011, lee wrote:
>
> Obvious break-in attempts:
>
> I?ve only recently enabled SMTP authentication so that I?m able to
> send email via my cellphone. So far, I?m the only user who uses it,
> and there aren?t going to be many more, if any. Today, I?ve seen a lot
> of authentication attempts logged from two different IP addresses,
> i. e. someone obviously trying to break in in order to use my server
> to relay their messages.
>
> Exim dropped the connections after so many failed non-mail commands:
>
>
> [...]
> 2011-06-07 22:58:00 fixed_cram authenticator failed for (cmykhhz.com) [217.97.156.130]: 535 Incorrect authentication data
> 2011-06-07 22:58:01 SMTP call from (cmykhhz.com) [217.97.156.130] dropped: too many nonmail commands (last was "AUTH")
>
>
> fixed_cram:
> driver = cram_md5
> public_name = CRAM-MD5
> server_secret = ${if eq{$1}{foo}{bar}fail}
>
>
>> And in any case, on which arrival port(s) and with which protocol?
>
> SMTP protocol on port 25
>
>> The problem should go away with no need to blacklist if you get the
>> combination set optimally.
>
> What I have in mind is to simply have exim deny connections (or all
> auth attempts) from the IP in question after the authentication failed
> so many times --- perhaps that?s a feature already built in?
>
> If it?s not a built-in feature, perhaps I can make it so that exim
> appends the IPs in question to some file which is used for a
> blacklist. I wouldn?t even need to expire the IPs anytime soon :)
>
> This must be a very common problem. Everyone offering email services
> to remote clients and using SMTP authentication probably has it? It?s
> pretty unlikely that someone manages to find out the authentication
> information needed, yet there?s no point in letting them try as much
> as they want. There have been 5038 failed auth attempts from only two
> different IPs today, and I don?t like that.
>
>


-- 
--------------------------------------------------------
  Dave Lugo     dlugo@???      No spam, thanks.
  Are you the police?  . . .  No ma'am, we're sysadmins.
--------------------------------------------------------