Since arround one week I have very heavy Dictionary attacs (over 300000 per day from more then 7000 different IP's) on my courier-mta which servs for 17.000 users in the french gov.
On the <exim-user> list they used the following to stop it.
But how can I do this with <courier-mta>?
I like to reduce the faild connection per IP to 10 per hour and I think,
this is enough to will heavy slow down the hack attempts...
Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
----- Forwarded message from Dean Brooks <[EMAIL PROTECTED]> -----
Date: Wed, 26 Sep 2007 21:17:03 -0400
From: Dean Brooks <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Dictionary spamming ?
X-TDMailSerialnumber: 7791539
On Thu, Sep 27, 2007 at 09:39:14AM +1000, Ted Cooper wrote:
> Phil (Medway Hosting) wrote:
> > I am getting a lot of entries like these in my logs over the last few days:
> >
> > 2007-09-23 05:00:08 fixed_login authenticator failed for (windows)
> > [64.62.22.218]:8204 I=[84.40.17.13]:25: 535 Incorrect authentication data
> > (set_id=maxwell)
>
> I've had a few of these too. I believe it's just a bot attempting an
> automated attack as I've had them on try on sequential IP addresses.
> They are usually also on zen.spamhaus.org. Pretty sure the aim is to
> find correct login details so they can use your servers to spam the crap
> out of everyone. Creating something in the smtp_auth_acl to temporarily
> firewall these computers is on my TODO list.
I dealt with this exact situation recently. I have a ratelimit
implementation (below) that automatically begins dropping connections
to sites that repeatedly fail authentications.
It does require use of the quit and notquit ACL sections since the
auth ACL section apears to run prior to authentication, not after.
You also can't drop in the mail/rcpt/data ACLs since the session will
likely end after the failed auth attempt. Hence, the quit and notquit
ACLs are necessary.
In my "connect" ACL:
drop
log_message = RATELIMIT BADAUTH: $sender_rate / $sender_rate_period
message = Too many failed authentication attempts
ratelimit = 50 / 2h / noupdate / badauth:$sender_host_address
delay = 10s
In both the "quit" and "notquit" ACLs:
accept
condition = ${if eq{$authentication_failed}{1}}
ratelimit = 50 / 2h / badauth:$sender_host_address
Obviously you can change the "50 / 2h" to any other period you want.
Just make sure all three acl entries use the same values. The quit and
notquit ACL entries are *both* needed since you don't know whether or
not the session will be terminated gracefully by the sender or not.
The only thing to watch out for here is locking on the ratelimit database.
Every single connection will require an open and lock of the ratelimit
database. If you have your db directory on ramdisk, or if you have a
low volume server, you should be fine though. To be honest, I haven't
noticed much of a problem even on a high volume server with db on
regular disks though.
Critiques or alternatives are welcomed.
--
Dean Brooks
[EMAIL PROTECTED]
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
----- End forwarded message -----
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
50, rue de Soultz MSN LinuxMichi
0033/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
