Re: [exim] Authenticated User Ratelimiting

Top Page
Delete this message
Reply to this message
Author: Chris Wilson
Date:  
To: Grant Peel
CC: exim-users
Subject: Re: [exim] Authenticated User Ratelimiting
Hi Grant,

On Mon, 21 Oct 2013, Grant Peel wrote:

> Recent events have left us wanting to add rate limiting to our exim
> configuration.
>
> I have seen several examples in various places on the web and everything I
> can find in the exim specification, and I must say I am a little more than
> confused.
>
> All I really want to do is ratelimit everyone (locally authenticated) to
> 250/hour ? as a start anyways.


This is what I use:

acl_smtp_auth = acl_check_auth

...

begin acl

...

acl_check_auth:

         defer
                 ! hosts = 217.155.111.88/29 : 82.68.244.64/29
                 ratelimit = 30 / 1h / strict / $sender_host_address
                 # delay = 30s
                 message = Too many auth attempts, slow down
                 log_message = Sender $sender_host_address AUTH rate \
                         $sender_rate/$sender_rate_period exceeds limit \
             ($sender_rate_limit)


So in your case, you probably want "ratelimit = 250 / 1h / strict /
global" to use the same key (the word "global") for all IP addresses.

Note that this will allow a remote host to deny service to your users by
making a large number of auth attempts, and the failure mode is very
public as users' clients will show an error message when they try to
authenticate. So probably you really want "/ $sender_host_address" instead
of "/ global". You probably also want to except known IP addresses from
this "defer" statement, to keep your customers/users happy.

You may want to trial this with "warn" instead of "defer" as the verb, so
that you'll see messages in the logs if users exceed it. Combined with
"delay = 5s" you will actually succeed in slowing down cracking attempts a
lot, without ever failing an auth request.

So I recommend you start with something like this:

         warn
                 ! hosts = 217.155.111.88/29 : 82.68.244.64/29
                 ratelimit = 30 / 1h / strict / $sender_host_address
                 delay = 5s
                 # message = Too many auth attempts, slow down
                 log_message = Sender $sender_host_address AUTH rate \
                         $sender_rate/$sender_rate_period exceeds limit \
                         ($sender_rate_limit)


Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <chris+sig@???> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |