Please consider reading and understanding these Courier ban rules: https://github.com/szepeviktor/debian-server-tools/tree/master/security/fail2ban-conf/filter.d
Idézem/Quoting Sam Varshavchik <mr...@courier-mta.com>: > Nathan Harris writes: > >> For a while now our server has been seeing a lot of brute force >> authentication attacks. Of course the source of these attacks is >> constantly changing. My firewall (pfSense) is running Snort and I am >> using the following custom rules to help. >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute >> force attack"; content:"535 Authentication failed."; nocase; >> classtype:attempted-user; threshold:type threshold, track by_src, count >> 2, seconds 60; sid:1000500; rev:6;) >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR >> potential spam or malware bot"; content:"502 ESMTP command error"; >> nocase; classtype:policy-violation; threshold:type threshold, track >> by_src, count 2, seconds 60; sid:1000501; rev:4;) >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS >> potential spam or malware bot"; content:"511 https://www.spamhaus.org"; >> nocase; classtype:policy-violation; threshold:type threshold, track >> by_src, count 1, seconds 60; sid:1000502; rev:4;) >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected >> spam or malware bot"; content:"554 Mail rejected - spam detected"; >> nocase; classtype:policy-violation; threshold:type threshold, track >> by_src, count 1, seconds 60; sid:1000503; rev:2;) >> >> This is working fairly well. However, it would also be good to >> immediately block an IPs when an invalid user name is specified. I have >> looked at Fail2Ban which does a similar operation to what I'm doing >> (except on the mail server's firewall). Is there anything more >> sophisticated or a better approach to solving this problem? > > You should check the timestamps in the maillog. Courier's automatic > tarpitting and rate limit is pretty good at keeping things under > control. > > Also, check whether or not you really need to enable authenticated > SMTP on port 25. In most cases you can turn this off completely, and > use only authenticated SMTP on port 587. > > Just last month, on another mailing list one unfortunate soul > discovered that he was succesfully dictionary-attacked, and had a > queue-full of spam. > > No tarpitting will help. fail2ban will work generally well, but it > won't be fool-proof. SZÉPE Viktor -- +36-20-4242498 s...@szepe.net skype: szepe.viktor Budapest, III. kerület ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users