Fail2ban would be a reasonable method of adding (say) 8 hour firewall
blocks when this sort of thing was seen...
*
http://www.fail2ban.org/wiki/index.php/Main_Page
*
https://alternativeto.net/software/fail2ban/
Nigel.
Russell King via Exim-users wrote on 25/11/2018 10:32:
> Hi,
>
> My mail server is being hit with auth attempts when the helo hasn't
> advertised the presence of authentication - for example, this
> morning for an hour:
>
> 2018-11-25 09:23:58 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (M9AIVXy9WZ) [35.231.157.15]:53324 I=[78.32.30.218]:587 AUTH command used when not advertised
> 2018-11-25 09:23:58 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (WHFIaBK) [35.231.157.15]:53620 I=[78.32.30.218]:587 AUTH command used when not advertised
> 2018-11-25 09:23:59 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (7bdz0k) [35.231.157.15]:53712 I=[78.32.30.218]:587 AUTH command used when not advertised
> ...
> 2018-11-25 10:14:59 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (RlgrRD) [35.231.157.15]:53098 I=[78.32.30.218]:587 AUTH command used when not advertised
>
> at about a rate of 2 per second. Although that's a fairly low rate,
> and doesn't cause a problem, I'd rather have a way to (eg) rate
> limit such hosts to stop the log file pollution.
>
> While it's possible to rate limit using exim ACLs, as there is no ACL
> for this case, there isn't a way to automatically ratelimit such hosts
> except by parsing the log file (granted, it wouldn't actually be
> controlling access per se.)
>
> My current technique to deal with such people is to spot them in the
> log file, and add a blocking firewall entry when they bother me, which
> is sub-optimal as it tends to stay for a very long time, so I'd rather
> be able to have some way to rate limit such things to (eg) 1 attempt
> per hour or so, which having exim able to "do something" in this case
> beyond merely logging the fact would allow.
>
> Maybe this would be a feature request for an ACL that gets run on
> failed auth attempts, similar to the smtp notquit ACL?
>
> (Yes, I'm aware that this is a block-cracking attempt, and yes, I'm
> already using elements of Lena's implementation - but that doesn't
> cover this situation.)
>
> Thanks.
>
--
[ Nigel Metheringham --------------------------- nigel@??? ]
[ Ellipsis Intangible Cloudy Technologies ]