Re: [exim] Handling unadvertised AUTH

Top Page
Delete this message
Reply to this message
Author: Phillip Carroll
Date:  
To: exim-users
Subject: Re: [exim] Handling unadvertised AUTH
I have an lfd filter working now.

The custom regex file on my system is at:
/usr/local/csf/bin/regex.custom.pm
(ymmv)

The code in this file:
###################
    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\d{4}(\-\d{2}){2} 
\d{2}(:\d{2}){2} \[\d+\] SMTP protocol error in \"AUTH LOGIN\" 
H=.*\[(\d+\.\d+\.\d+\.\d+)\]:\d+ I=\[\d+\.\d+\.\d+\.\d+\]:(\d+) AUTH 
command used when not advertised$/))
    {
        if (checkip(\$3)) { return ("Unsolicited SMTP AUTH request 
from",$3,"mySMTPauthfail","2",$4,"3600");} else {return}
    }
# The ip is in $3
# The connected port is $4 (always 25 on my system)
###################
The regex portion is from "^" to "$", and should work with any log 
scanner using pcre matching. (I tested it initially in a regular 
expression tester that is inside a Windows dot net based IDE. I see no 
reason it should not also work with fail2ban.)


The part before "SMTP protocol" depends on the default time stamp format
in my exim main.log. A different timestamp format would require some
change to that portion of the regex. The timestamp format in my log is:
yyyy-mm-dd hh:mm:ss

The regex is also dependent on the H part of the log line always having
the host ip in square brackets. I believe this is universally true. It
will accept anything between "H=" and the opening bracket, which is
where all the HELO variations occur.

Because of other csf settings in my csf.conf, this filter always blocks
the offending ip found in a matched log line, for one hour on all ports.
The blocking occurs on the first appearance of the logged failure before
the remote host can connect again.

Unless someone has more to say, that is about it for me on this topic. :-)

Phil Carroll