Since arround one week I have very heavy Dictionary attacs (over 300000 per day from more then 7000 different IP's) on my courier-mta which servs for 17.000 users in the french gov.
On the <exim-user> list they used the following to stop it. But how can I do this with <courier-mta>? I like to reduce the faild connection per IP to 10 per hour and I think, this is enough to will heavy slow down the hack attempts... Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant ----- Forwarded message from Dean Brooks <[EMAIL PROTECTED]> ----- Date: Wed, 26 Sep 2007 21:17:03 -0400 From: Dean Brooks <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Dictionary spamming ? X-TDMailSerialnumber: 7791539 On Thu, Sep 27, 2007 at 09:39:14AM +1000, Ted Cooper wrote: > Phil (Medway Hosting) wrote: > > I am getting a lot of entries like these in my logs over the last few days: > > > > 2007-09-23 05:00:08 fixed_login authenticator failed for (windows) > > [64.62.22.218]:8204 I=[84.40.17.13]:25: 535 Incorrect authentication data > > (set_id=maxwell) > > I've had a few of these too. I believe it's just a bot attempting an > automated attack as I've had them on try on sequential IP addresses. > They are usually also on zen.spamhaus.org. Pretty sure the aim is to > find correct login details so they can use your servers to spam the crap > out of everyone. Creating something in the smtp_auth_acl to temporarily > firewall these computers is on my TODO list. I dealt with this exact situation recently. I have a ratelimit implementation (below) that automatically begins dropping connections to sites that repeatedly fail authentications. It does require use of the quit and notquit ACL sections since the auth ACL section apears to run prior to authentication, not after. You also can't drop in the mail/rcpt/data ACLs since the session will likely end after the failed auth attempt. Hence, the quit and notquit ACLs are necessary. In my "connect" ACL: drop log_message = RATELIMIT BADAUTH: $sender_rate / $sender_rate_period message = Too many failed authentication attempts ratelimit = 50 / 2h / noupdate / badauth:$sender_host_address delay = 10s In both the "quit" and "notquit" ACLs: accept condition = ${if eq{$authentication_failed}{1}} ratelimit = 50 / 2h / badauth:$sender_host_address Obviously you can change the "50 / 2h" to any other period you want. Just make sure all three acl entries use the same values. The quit and notquit ACL entries are *both* needed since you don't know whether or not the session will be terminated gracefully by the sender or not. The only thing to watch out for here is locking on the ratelimit database. Every single connection will require an open and lock of the ratelimit database. If you have your db directory on ramdisk, or if you have a low volume server, you should be fine though. To be honest, I haven't noticed much of a problem even on a high volume server with db on regular disks though. Critiques or alternatives are welcomed. -- Dean Brooks [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ ----- End forwarded message ----- -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users