Re: [courier-users] Blocking Brute Force Auth Attacks

Fri, 08 Jul 2016 15:14:59 -0700 

You may discover some networks that are malicious (shadow nets)
I maintain a list of these
https://github.com/szepeviktor/debian-server-tools/tree/master/security/myattackers-ipsets

Use the shell scripts provided. And take a look at iptables rule  
counters weekly so you know how successful they are.

Chain myattackers-ipset (1 references)
  pkts bytes target     prot opt in     out     source                
destination
     0     0 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set spidernet src reject-with  
icmp-port-unreachable
   240 12305 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set sks-lugan src reject-with  
icmp-port-unreachable
   249 11847 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set shodan-io src reject-with  
icmp-port-unreachable
   105  4280 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set security-scorecard src reject-with  
icmp-port-unreachable
     1    40 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set mirtelematiki src reject-with  
icmp-port-unreachable
     0     0 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set lu-root src reject-with  
icmp-port-unreachable
     0     0 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set leonlundberg src reject-with  
icmp-port-unreachable
     3   120 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set hostkey src reject-with  
icmp-port-unreachable
    13   672 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set ering.pl src reject-with  
icmp-port-unreachable
    17   680 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set elan.pl src reject-with  
icmp-port-unreachable
  1002 40883 REJECT     all  --  *      *       0.0.0.0/0             
0.0.0.0/0            match-set ecatel src reject-with  
icmp-port-unreachable
4657K 1595M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

For example ecatel could have 1002 Courier authentication attacks  
without these rules.




Idézem/Quoting Alexei Batyr' <[email protected]>:

> Gordon Messmer writes:
>
>> Authentication over plain text is only allowed if ESMTPAUTH is set in
>> etc/courier/esmtpd.  To maintain password security, that setting should
>> be empty.  Instead, use ESMTPAUTH_TLS to enable authentication only
>> after TLS is initialized.
>
> Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and
> successfully use them in brute force and other attacks.
>
>> I wrote earlier that protecting authentication with encryption would
>> leave you with only tools like fail2ban.  I should have mentioned that
>> the other good option is using an authentication backend that'll lock
>> accounts temporarily when there are repeated auth failures.
>
> Account locking seems not a good idea: attacker could easily and quickly
> block all known to him user accounts on particular server. Fail2ban blocks
> attacker's IPs instead, leaving legitimate user access to his mail.
> Probably better solution would be a similar blocking at MTA level, without
> log parsing and firing firewall rules.
>
> Just FYI: fail2ban block list of my relatively small mail server (approx.
> 350 users) now contains more than 1500 IPs. Additional advantage - reducing
> overall load to the server because blocked botnet members never more make
> continuous connections to the MTA.
>
> --
> Alexei.
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> courier-users mailing list
> [email protected]
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users



SZÉPE Viktor
-- 
+36-20-4242498  [email protected]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to