Re: [exim] Sending limit per day for Authenticated (LOGIN AU…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MGrant Peel at <-
MLena at ->
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] Sending limit per day for Authenticated (LOGIN AUTH) users
> From: "Grant Peel"

> I was wondering if anyone who uses Lena's method below also struggles with
> the IP Being added to the blocked_IPs list multiple time due to the use
> of multiple domains on the same server?

An IP-address is added to the blocked_IPs file several times
when the attack bot uses concurrent connections.
The admin gets a bunch of email notifications about the same IP-address.
I use smtp_accept_max_per_host=3 and sometimes get 2-3 notifications.
However, several lines with the same IP-address is harmless,
practically doesn't affect performance. The file is small, OS caches
its entire content in RAM. If bunches of notifications annoy you: 

TOUCH = /usr/bin/touch
begin acl
acl_check_auth:
  drop  message = authentication is allowed only once per message in order \
                  to slow down bruteforce cracking
        set acl_m_auth = ${eval10:0$acl_m_auth+1}
        condition = ${if >{$acl_m_auth}{2}}
        delay = 22s


  drop  message = blacklisted for bruteforce cracking attempt
        set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
        condition = ${if >{$acl_c_authnomail}{4}}
        continue = ${run{TOUCH $spool_directory/blocked_IPs}}
        condition = ${lookup{$sender_host_address}lsearch\
                    {$spool_directory/blocked_IPs}{0}{1}}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | $exim_path -f root WARNTO"}}


  drop  message = blacklisted for bruteforce cracking attempt
        condition = ${if >{$acl_c_authnomail}{4}}


accept 

acl_check_quit:
  warn  condition = $authentication_failed
        logwrite = :reject: quit after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        ratelimit = 7 / 5m / strict / per_conn
        continue = ${run{TOUCH $spool_directory/blocked_IPs}}
        condition = ${lookup{$sender_host_address}lsearch\
                    {$spool_directory/blocked_IPs}{0}{1}}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | $exim_path -f root WARNTO"}}


acl_check_notquit:
  warn  condition = $authentication_failed
        logwrite = :reject: $smtp_notquit_reason after authentication failed: \
                            ${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
        condition = ${if eq{$smtp_notquit_reason}{connection-lost}}
        ratelimit = 7 / 5m / strict / per_conn
        continue = ${run{TOUCH $spool_directory/blocked_IPs}}
        condition = ${lookup{$sender_host_address}lsearch\
                    {$spool_directory/blocked_IPs}{0}{1}}
        continue = ${run{SHELL -c "echo $sender_host_address \
           >>$spool_directory/blocked_IPs; \
           \N{\N echo Subject: $sender_host_address blocked; echo; echo \
           for bruteforce auth cracking attempt.; \
           \N}\N | $exim_path -f root WARNTO"}}



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Sending limit per day for Authenticated (LOGIN AUTH) usersRe: [exim] Sending limit per day for Authenticated (LOGIN AUTH) users->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)