Re: [exim] Stopping Bruteforceattacks

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] Stopping Bruteforceattacks
Am 25.07.2012 17:08, schrieb Cyborg:
> Am 25.07.2012 16:33, schrieb Lena@???:
>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
>> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
>> http://www.mail-archive.com/exim-users@exim.org/msg41893.html
>> or the same message:
>> https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html
>>
>
> acl_check_auth:
>   drop  message = authentication is allowed only once per message in 
> order \
>                   to slow down bruteforce cracking
>         set acl_m_auth = ${eval10:0$acl_m_auth+1}
>         condition = ${if >{$acl_m_auth}{2}}
>         delay = 22s


Is there any variable, which holds the "username" of the AUTH command IF
the auth fails ?


2012-07-25 17:29:54 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 17:29:54 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:29:54 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=toby)
2012-07-25 17:32:04 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 17:32:04 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:32:04 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=tyler)
2012-07-25 17:34:14 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 17:34:15 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:34:15 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=sebastian)
2012-07-25 17:35:00 no host name found for IP address 27.41.155.167

That Windows PC ( with telnet and VPN service :D ) btw. does not raise
a ratelimit, as it only connects once and has a 120 seconds timer.

Exim logs "set_id=sebastian" and i need that name to make a compare to
the database to check if its even possible it's not a bruteforcer.

My thoughts are, brute forcer try a list of given names and passwords,
but do not start with the correct name.
Why not, because if the have the name, they also got the password from
the used trojan horse.
That will not be true always, but in most cases it will be a valid
assumption, don't you agree ?

btw. our unfriendly windows server (s.a.) is now blocked the old fashion
way :)