Re: [exim] ratelimit based on invalid authentication

Top Page
Delete this message
Reply to this message
Author: Dean Brooks
Date:  
To: exim-users
Subject: Re: [exim] ratelimit based on invalid authentication
On Sun, Jul 08, 2012 at 10:11:17PM +0200, Arkadiusz Mi?kiewicz wrote:
> Is there a way to rate limit host based on invalid authentication? I'm
> limiting on lack of auth but how to do the similar thing for invalid auth?
>
> 2012-07-08 22:09:33 login authenticator failed for (aabb) [x.x.x.x]: 535
> Incorrect authentication data (set_id=...)


I have included below the configuration we are using to do this. If
you have this in place, your server will automatically begin rejecting
hosts that send repeated auth failure attempts.

You can change the BADAUTH_LIMIT macro below to any rate you like, but
we use 15 failed attempts within 2 hours as our threshold.

In the global config section of your config:

BADAUTH_LIMIT = 15 / 2h

acl_smtp_connect = check_connection
acl_smtp_quit = check_quit
acl_smtp_notquit = check_notquit

In the ACL section of your config:

  check_connection:
    drop message = Too many failed authentication attempts
    ratelimit = BADAUTH_LIMIT / noupdate / badauth:$sender_host_address


  check_quit:
    accept condition = ${if eq{$authentication_failed}{1}}
    ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address


  check_notquit:
    accept condition = ${if eq{$authentication_failed}{1}}
    ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address


The rate limiting counters are incremented in both the "quit" and
"notquit" sections. Both are needed as you don't know if the
connection will end up closing gracefully. Failed authentications
will immediately go to either the check_quit or check_notquit acls.

The entry in check_connection doesn't increment the counters, it only
reads from them, and drops the connection if over the threshold. You
can't put the ratelimiting in the MAIL, RCPT or DATA sections because
the connection will never get that far (they haven't authenticated!).

Hope this helps.

--
Dean Brooks
dean@???