Re: [exim] Stopping Bruteforceattacks

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Duane Hill
Data:  
Para: exim-users
Assunto: Re: [exim] Stopping Bruteforceattacks
On Wednesday, July 25, 2012 at 15:08:00 UTC, cyborg2@??? confabulated:

> Am 25.07.2012 16:33, schrieb Lena@???:
>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
>> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
>> http://www.mail-archive.com/exim-users@exim.org/msg41893.html
>> or the same message:
>> https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html
>>


> acl_check_auth:
>    drop  message = authentication is allowed only once per message in order \
>                    to slow down bruteforce cracking
>          set acl_m_auth = ${eval10:0$acl_m_auth+1}
>          condition = ${if >{$acl_m_auth}{2}}
>          delay = 22s


>    drop  message = blacklisted for bruteforce cracking attempt
>          set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
>          condition = ${if >{$acl_c_authnomail}{4}}
>          continue = ${run{SHELL -c "echo $sender_host_address \
>             >>$spool_directory/blocked_IPs; \
>             \N{\N echo Subject: $sender_host_address blocked; echo; echo \
>             for bruteforce auth cracking attempt.; \
>             \N}\N | EXIMBINARY WARNTO"}}


> ...



> It looks like the answere, thanks.


> If i understood it correctly, this will create a file for each blocked
> ip and check later if it exists.


Incorrect. Only one file is used. Notice the double '>>'. Each IP is
written to 'blocked_IPs'. I lookup is done somewhere else (I use the
connect ACL).

> Just for the record, if you send the ip to your firewall, you won't need
> to check for the files later.
> Each check generates unnecessary IO, hopefully in the cache, but it must
> not be cached already.


> If it's firewalled, the spammer can't dos the system with requests from
> already blocked ip's .


> If the production system has a thousand and more accouts/domains on it,
> the io part will be become
> vital . The server of my last employer was rated up to 500.000 mails a
> day by spamcop and trust me,
> you do not want to check those blocked ips with a file.exists() call :)



> Marius


--
If at first you don't succeed...
...so much for skydiving.