Re: [exim] Stopping Bruteforceattacks

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMDuane Hill at <-
MMCyborg at ->
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] Stopping Bruteforceattacks
Am 25.07.2012 17:08, schrieb Cyborg:
> Am 25.07.2012 16:33, schrieb Lena@???:
>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
>> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
>> http://www.mail-archive.com/exim-users@exim.org/msg41893.html
>> or the same message:
>> https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html
>>
>
> acl_check_auth:
>   drop  message = authentication is allowed only once per message in 
> order \
>                   to slow down bruteforce cracking
>         set acl_m_auth = ${eval10:0$acl_m_auth+1}
>         condition = ${if >{$acl_m_auth}{2}}
>         delay = 22s

Is there any variable, which holds the "username" of the AUTH command IF
the auth fails ?


2012-07-25 17:29:54 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 17:29:54 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:29:54 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=toby)
2012-07-25 17:32:04 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 17:32:04 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:32:04 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=tyler)
2012-07-25 17:34:14 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 17:34:15 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:34:15 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=sebastian)
2012-07-25 17:35:00 no host name found for IP address 27.41.155.167

That Windows PC ( with telnet and VPN service :D ) btw. does not raise
a ratelimit, as it only connects once and has a 120 seconds timer.

Exim logs "set_id=sebastian" and i need that name to make a compare to
the database to check if its even possible it's not a bruteforcer.

My thoughts are, brute forcer try a list of given names and passwords,
but do not start with the correct name.
Why not, because if the have the name, they also got the password from
the used trojan horse.
That will not be true always, but in most cases it will be a valid
assumption, don't you agree ?

btw. our unfriendly windows server (s.a.) is now blocked the old fashion
way :)




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Stopping BruteforceattacksRe: [exim] Stopping Bruteforceattacks->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)