Re: [exim] Stopping Bruteforceattacks

Góra strony
Delete this message
Reply to this message
Autor: Cyborg
Data:  
Dla: exim-users
Temat: Re: [exim] Stopping Bruteforceattacks
Am 25.07.2012 16:33, schrieb Lena@???:
> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
> http://www.mail-archive.com/exim-users@exim.org/msg41893.html
> or the same message:
> https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html
>


acl_check_auth:
   drop  message = authentication is allowed only once per message in order \
                   to slow down bruteforce cracking
         set acl_m_auth = ${eval10:0$acl_m_auth+1}
         condition = ${if >{$acl_m_auth}{2}}
         delay = 22s


   drop  message = blacklisted for bruteforce cracking attempt
         set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
         condition = ${if >{$acl_c_authnomail}{4}}
         continue = ${run{SHELL -c "echo $sender_host_address \
            >>$spool_directory/blocked_IPs; \
            \N{\N echo Subject: $sender_host_address blocked; echo; echo \
            for bruteforce auth cracking attempt.; \
            \N}\N | EXIMBINARY WARNTO"}}


...


It looks like the answere, thanks.

If i understood it correctly, this will create a file for each blocked
ip and check later if it exists.


Just for the record, if you send the ip to your firewall, you won't need
to check for the files later.
Each check generates unnecessary IO, hopefully in the cache, but it must
not be cached already.

If it's firewalled, the spammer can't dos the system with requests from
already blocked ip's .

If the production system has a thousand and more accouts/domains on it,
the io part will be become
vital . The server of my last employer was rated up to 500.000 mails a
day by spamcop and trust me,
you do not want to check those blocked ips with a file.exists() call :)


Marius