Jan Ingvoldstad writes:
« HTML content follows »On Sun, Mar 1, 2015 at 3:42 PM, Alessandro Vesely <<URL:mailto:[email protected]>[email protected]> wrote:The complete list of IP addresses would do. You cannot tell whether the password, the userid, or both were wrong. IME, intrusion attempts --where both tokens are being guessed-- are somewhat more frequent than honest mistyping, but discerning which is which is not always obvious, and needs human judgment.There are numerous reasons why a customer might be interested in this data, and why we should provide either that, or at least the name of the ISP and/or geolocation of the IP address.I find this constant "you don't need this information" kind of response extremely frustrating.
I find that the existing logging to be sufficient. Mar 2 08:23:53 shorty courieresmtpd: started,ip=[::ffff:123.186.104.174]Mar 2 08:23:53 shorty courieresmtpd: error,relay=::ffff: 123.186.104.174,msg="535 Authentication rejected",cmd: AUTH LOGIN
Mar 2 08:23:54 shorty courieresmtpd: started,ip=[::ffff:123.186.104.174]Mar 2 08:23:55 shorty courieresmtpd: error,relay=::ffff: 123.186.104.174,msg="535 Authentication rejected",cmd: AUTH LOGIN
Mar 2 08:23:56 shorty courieresmtpd: started,ip=[::ffff:123.186.104.174]Mar 2 08:23:56 shorty courieresmtpd: error,relay=::ffff: 123.186.104.174,msg="535 Authentication rejected",cmd: AUTH LOGIN
Mar 2 08:23:57 shorty courieresmtpd: started,ip=[::ffff:123.186.104.174]Mar 2 08:23:58 shorty courieresmtpd: error,relay=::ffff: 123.186.104.174,msg="535 Authentication rejected",cmd: AUTH LOGIN
Mar 2 08:23:58 shorty courieresmtpd: started,ip=[::ffff:123.186.104.174]Mar 2 08:23:59 shorty courieresmtpd: error,relay=::ffff: 123.186.104.174,msg="535 Authentication rejected",cmd: AUTH LOGIN Mar 2 08:23:59 shorty courieresmtpd: Maximum connection limit reached for ::ffff:123.186.104.174 Mar 2 08:24:00 shorty courieresmtpd: Maximum connection limit reached for ::ffff:123.186.104.174 Mar 2 08:24:00 shorty courieresmtpd: Maximum connection limit reached for ::ffff:123.186.104.174
That pretty much all the information one needs. Past this point, the existing rate limiting kicks in, slowing things down to, one average 1-2 log entries per second. Quite managable.
Here's a naive question. Do you even have smtp authentication enabled, here. If you have smtp authentication enabled on port 587 only, and not on port 25, and this is what you're seeing, the attacker is trying port 25; as was my situation this morning – which I haven't even noticed, since the rate limiting throttles this effectively. I log dictionary attacks on my server almost daily, and it's pretty much a non-event.
When smtp authentication is not even turned on, Courier rejects the AUTH LOGIN message immediately. Things don't even get to the point where the sender transmits a login ID and password.
Courier should include the login userid, in a failed authentication attempt, together with an IP address. git shows that this was added in September of 2013, so this should be the case as of 0.73; if you're running an older version, update to the current one.
Now, if someone's password was cracked, and the attacker succesfully authenticated, there'll be plenty of stuff in maillog+mail queue+headers, to identify the guilty party.
But in general, the best way to avoid dictionary attacks is to simply use a different IP address for your customer's mail server configuration, and don't use the same IP address as your publicly facing MX. Turn off smtp authentication, and forget about it. If you do have only one IP address, use port 587. Most attacks target port 25.
pgpcRjYFenetn.pgp
Description: PGP signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
