[exim] protecting privileged users from SMTP-AUTH attacks

Pàgina inicial
Delete this message
Reply to this message
Autor: Cyborg
Data:  
A: exim users
Assumpte: [exim] protecting privileged users from SMTP-AUTH attacks

Look who is trying to break into our system and how he does try it ...

2019-11-29 12:23:19 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="default\r\n"
2019-11-29 12:23:20 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="alpine\r\n"
2019-11-29 12:23:22 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="8888\r\n"
2019-11-29 12:23:23 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="7ujMko0admin\f\r\n"
2019-11-29 12:23:24 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "admin"
H=[117.4.84.45] next input="12345\r\n"
2019-11-29 12:23:25 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "telecomadmin^P"
H=[117.4.84.45] next input="telecomadmin\f\r\n"
2019-11-29 12:23:26 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="888888888\r\n"
2019-11-29 12:23:27 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="realtek\r\n"
2019-11-29 12:23:29 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="ding1234\f\r\n"
2019-11-29 12:23:30 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="444\r\n"


which brings me to a quick question: has exim any build in support to
protected privileged users like root from getting brute forced by this?

Our Loginauthenticator won't let root be a valid user, so I'm not
worried, but curios if any protection for know systems users has been
added, besides the pam build in check for UID > 1000 ( on RH systems ).
If not, take it as a Feature Request ;)

And for anyone who's LoginAuthenticator uses PAM, you may wanne rethink
your login-management.

best regards,
Marius