Do you fail2ban? (Or could you?) You can configure fail2ban to trigger
off the reject messages exim is giving in these cases. In case you are
not familiar, fail2ban can add a firewall entry to block any connections
for a specific IP address for a configurable amount of time. It won't
help if the connections you are seeing rarely come from the same IP address.
(I haven't set up a fail2ban rule for those AUTH rejections. I just
believe it can be done.)
On 04/29/2016 03:38 PM, Phillip Carroll wrote:
> Hello all,
>
> MY exim server does not support ANY net-facing logins at all, and AUTH
> is not advertised. Yet, I am getting increasing numbers of AUTH
> attempts. I am looking for the best way to block IPs that attempt
> (have attempted) AUTH.
>
> I am not concerned about site penetration because Exim automatically
> rejects all the AUTH attempts with "503 AUTH command used when not
> advertised". However, there are clients (almost all with Chinese IPs)
> that are generating AUTH attempts at a rate exceeding 10 per second,
> in blasts of several minutes. This, despite sending EHLO, to which my
> server responds with a very short list:
> 250-SIZE 52428800
> 250-8BITMIME
> 250-PIPELINING
> 250-STARTTLS
> 250 HELP
>
> (Some guys just can't accept no!)
>
> The result of all these useless attempts is log pollution and wasted
> resources at best, and perhaps something akin to DOS if it keeps
> increasing. (It started out a with an attempt by a random IP every 5
> minutes, but lately seems to worsen daily.)
>
> I suppose I could eliminate almost all of this by simply refusing
> connection to any Chinese IP based on a filter file. I copied a CIDR
> list in iplsearch acceptable format from a web site, but it contains
> 4226 entries! (http://www.okean.com/chinacidr.txt)
> However, this filter would probably be a worse resource drain than the
> current dropped connections. (Not sure how efficient exim's search of
> such a filter is)
>
> My main idea now is to refuse connection using a much smaller
> self-maintained filter file that contains a list of IPs of "known bad
> actors". Where I am stymied on that is knowing how to add entries to
> the filter file inside exim, at the time AUTH is attempted (or perhaps
> other objectionable activity). I presume a custom logging file would
> not work because it would always be open while exim is running, so
> could not be opened for filtering.
>
> Any help appreciated (including better ideas).
>
> Phil Carroll
>
