For a while now our server has been seeing a lot of brute force authentication attacks. Of course the source of these attacks is constantly changing. My firewall (pfSense) is running Snort and I am using the following custom rules to help.
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute force attack"; content:"535 Authentication failed."; nocase; classtype:attempted-user; threshold:type threshold, track by_src, count 2, seconds 60; sid:1000500; rev:6;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR potential spam or malware bot"; content:"502 ESMTP command error"; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 2, seconds 60; sid:1000501; rev:4;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS potential spam or malware bot"; content:"511 https://www.spamhaus.org";; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 1, seconds 60; sid:1000502; rev:4;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected spam or malware bot"; content:"554 Mail rejected - spam detected"; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 1, seconds 60; sid:1000503; rev:2;) This is working fairly well. However, it would also be good to immediately block an IPs when an invalid user name is specified. I have looked at Fail2Ban which does a similar operation to what I'm doing (except on the mail server's firewall). Is there anything more sophisticated or a better approach to solving this problem? -Nathan ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
