Re: [exim] Handling unadvertised AUTH

Startseite
Nachricht löschen
Nachricht beantworten
Autor: WJCarpenter
Datum:  
To: exim-users
Betreff: Re: [exim] Handling unadvertised AUTH
Do you fail2ban? (Or could you?) You can configure fail2ban to trigger
off the reject messages exim is giving in these cases. In case you are
not familiar, fail2ban can add a firewall entry to block any connections
for a specific IP address for a configurable amount of time. It won't
help if the connections you are seeing rarely come from the same IP address.

(I haven't set up a fail2ban rule for those AUTH rejections. I just
believe it can be done.)

On 04/29/2016 03:38 PM, Phillip Carroll wrote:
> Hello all,
>
> MY exim server does not support ANY net-facing logins at all, and AUTH
> is not advertised. Yet, I am getting increasing numbers of AUTH
> attempts. I am looking for the best way to block IPs that attempt
> (have attempted) AUTH.
>
> I am not concerned about site penetration because Exim automatically
> rejects all the AUTH attempts with "503 AUTH command used when not
> advertised". However, there are clients (almost all with Chinese IPs)
> that are generating AUTH attempts at a rate exceeding 10 per second,
> in blasts of several minutes. This, despite sending EHLO, to which my
> server responds with a very short list:
> 250-SIZE 52428800
> 250-8BITMIME
> 250-PIPELINING
> 250-STARTTLS
> 250 HELP
>
> (Some guys just can't accept no!)
>
> The result of all these useless attempts is log pollution and wasted
> resources at best, and perhaps something akin to DOS if it keeps
> increasing. (It started out a with an attempt by a random IP every 5
> minutes, but lately seems to worsen daily.)
>
> I suppose I could eliminate almost all of this by simply refusing
> connection to any Chinese IP based on a filter file. I copied a CIDR
> list in iplsearch acceptable format from a web site, but it contains
> 4226 entries! (http://www.okean.com/chinacidr.txt)
> However, this filter would probably be a worse resource drain than the
> current dropped connections. (Not sure how efficient exim's search of
> such a filter is)
>
> My main idea now is to refuse connection using a much smaller
> self-maintained filter file that contains a list of IPs of "known bad
> actors". Where I am stymied on that is knowing how to add entries to
> the filter file inside exim, at the time AUTH is attempted (or perhaps
> other objectionable activity). I presume a custom logging file would
> not work because it would always be open while exim is running, so
> could not be opened for filtering.
>
> Any help appreciated (including better ideas).
>
> Phil Carroll
>