 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
9 messages in net.sourceforge.lists.courier-users[courier-users] Same problem with cou...| From | Sent On | Attachments |
|---|---|---|
| Michelle Konzack | Sep 28, 2007 2:46 am | |
| Sam Varshavchik | Sep 28, 2007 4:05 am | |
| João Vale | Sep 28, 2007 4:23 am | |
| Michelle Konzack | Sep 28, 2007 5:54 am | |
| Jeff Jansen | Sep 28, 2007 7:09 am | |
| Michelle Konzack | Sep 28, 2007 7:49 am | |
| Jeff Jansen | Sep 28, 2007 8:33 am | |
| Gordon Messmer | Sep 28, 2007 11:19 am | |
| Tim Lyth | Sep 28, 2007 7:17 pm |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | [courier-users] Same problem with courier-mta as with exim [FW by XXXX@XXXXX.XXX : Re: Dictionary spamming ?] | Actions... |
|---|---|---|
| From: | Michelle Konzack (linu...@freenet.de) | |
| Date: | Sep 28, 2007 2:46:08 am | |
| List: | net.sourceforge.lists.courier-users | |
Since arround one week I have very heavy Dictionary attacs (over 300000 per day from more then 7000 different IP's) on my courier-mta which servs for 17.000 users in the french gov.
On the <exim-user> list they used the following to stop it.
But how can I do this with <courier-mta>?
I like to reduce the faild connection per IP to 10 per hour and I think, this is enough to will heavy slow down the hack attempts...
Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant
----- Forwarded message from Dean Brooks <XX...@XXXXX.XXX> -----
Date: Wed, 26 Sep 2007 21:17:03 -0400 From: Dean Brooks <XX...@XXXXX.XXX> To: exim...@exim.org Subject: Re: Dictionary spamming ? X-TDMailSerialnumber: 7791539
On Thu, Sep 27, 2007 at 09:39:14AM +1000, Ted Cooper wrote:
Phil (Medway Hosting) wrote:
I am getting a lot of entries like these in my logs over the last few days:
2007-09-23 05:00:08 fixed_login authenticator failed for (windows)
[64.62.22.218]:8204 I=[84.40.17.13]:25: 535 Incorrect authentication data
(set_id=maxwell)
I've had a few of these too. I believe it's just a bot attempting an automated attack as I've had them on try on sequential IP addresses. They are usually also on zen.spamhaus.org. Pretty sure the aim is to find correct login details so they can use your servers to spam the crap out of everyone. Creating something in the smtp_auth_acl to temporarily firewall these computers is on my TODO list.
I dealt with this exact situation recently. I have a ratelimit implementation (below) that automatically begins dropping connections to sites that repeatedly fail authentications.
It does require use of the quit and notquit ACL sections since the auth ACL section apears to run prior to authentication, not after. You also can't drop in the mail/rcpt/data ACLs since the session will likely end after the failed auth attempt. Hence, the quit and notquit ACLs are necessary.
In my "connect" ACL:
drop log_message = RATELIMIT BADAUTH: $sender_rate / $sender_rate_period message = Too many failed authentication attempts ratelimit = 50 / 2h / noupdate / badauth:$sender_host_address delay = 10s
In both the "quit" and "notquit" ACLs:
accept condition = ${if eq{$authentication_failed}{1}} ratelimit = 50 / 2h / badauth:$sender_host_address
Obviously you can change the "50 / 2h" to any other period you want. Just make sure all three acl entries use the same values. The quit and notquit ACL entries are *both* needed since you don't know whether or not the session will be terminated gracefully by the sender or not.
The only thing to watch out for here is locking on the ratelimit database. Every single connection will require an open and lock of the ratelimit database. If you have your db directory on ramdisk, or if you have a low volume server, you should be fine though. To be honest, I haven't noticed much of a problem even on a high volume server with db on regular disks though.
Critiques or alternatives are welcomed.
-- Dean Brooks de...@iglou.com
-- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
----- End forwarded message -----
-- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)