[exim] protecting privileged users from SMTP-AUTH attacks

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\ 
MMJeremy Harris at ->
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim users
Subject: [exim] protecting privileged users from SMTP-AUTH attacks

Look who is trying to break into our system and how he does try it ...

2019-11-29 12:23:19 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="default\r\n"
2019-11-29 12:23:20 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="alpine\r\n"
2019-11-29 12:23:22 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="8888\r\n"
2019-11-29 12:23:23 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="7ujMko0admin\f\r\n"
2019-11-29 12:23:24 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "admin"
H=[117.4.84.45] next input="12345\r\n"
2019-11-29 12:23:25 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "telecomadmin^P"
H=[117.4.84.45] next input="telecomadmin\f\r\n"
2019-11-29 12:23:26 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="888888888\r\n"
2019-11-29 12:23:27 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="realtek\r\n"
2019-11-29 12:23:29 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="ding1234\f\r\n"
2019-11-29 12:23:30 SMTP protocol synchronization error (next input sent
too soon: pipelining was not advertised): rejected "root"
H=[117.4.84.45] next input="444\r\n"


which brings me to a quick question: has exim any build in support to
protected privileged users like root from getting brute forced by this?

Our Loginauthenticator won't let root be a valid user, so I'm not
worried, but curios if any protection for know systems users has been
added, besides the pam build in check for UID > 1000 ( on RH systems ).
If not, take it as a Feature Request ;)

And for anyone who's LoginAuthenticator uses PAM, you may wanne rethink
your login-management.

best regards,
Marius

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] relay not permitted when sending mail from a specific user[exim] remote access vulnerability in version 4.92-8+deb10u3->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)