Re: [exim] drop connection on auth failure

Góra strony
Delete this message
Reply to this message
Autor: Julian Bradfield
Data:  
Dla: exim-users
Temat: Re: [exim] drop connection on auth failure
On 2022-07-15, Slavko via Exim-users <exim-users@???> wrote:
> To OP: I will do not suggest to use as aggressive bans at all, as a lot
> of hosts try only once and then go away, thus banning them is only
> resource wasting...


Not my experience. A large number of hosts try every hour or two -
presumably they're part of a distributed net working its way through
possible credentials. (Why they think any of these addresses might
exist, I do not know - most of them don't.)
By implementing a 10-day ban for any auth failure, the number of
attempts per day drops by a factor of 5 to 8.

> You can use AUTH attempts counting in AUTH ACL and the do something with
> this value, eg. (i do not drop by this way, thus only idea):
>
>   warn      set acl_c_authcnt = ${eval10:$acl_c_authcnt+1}

>
>   drop      condition       = ${if >{$acl_c_authcnt}{1}}
>             condition       = $authentication_failed
>             logwrite        = H=$sender_fullhost LAST FAILed: \
>                               $authenticated_fail_id


That only works on multiple AUTHs in the same session, doesn't it?

> I recently discovered (OK, i ugpraded it) fail2bans bantime auto
> incerement, whis i see as very useful for banning these toxics and to
> deal with false positives relative acceptable with short initial
> bantime:


Interesting, thanks. I don't know whether that's on my system (I
cannot be bothered with custom installations these days), but I'll
check.