On 7/8/2016 5:42 PM, Sam Varshavchik wrote: > Nathan Harris writes: > >> For a while now our server has been seeing a lot of brute force >> authentication attacks. Of course the source of these attacks is >> constantly changing. My firewall (pfSense) is running Snort and I am >> using the following custom rules to help. >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute >> force attack"; content:"535 Authentication failed."; nocase; >> classtype:attempted-user; threshold:type threshold, track by_src, count >> 2, seconds 60; sid:1000500; rev:6;) >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR >> potential spam or malware bot"; content:"502 ESMTP command error"; >> nocase; classtype:policy-violation; threshold:type threshold, track >> by_src, count 2, seconds 60; sid:1000501; rev:4;) >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS >> potential spam or malware bot"; content:"511 https://www.spamhaus.org"; >> nocase; classtype:policy-violation; threshold:type threshold, track >> by_src, count 1, seconds 60; sid:1000502; rev:4;) >> >> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected >> spam or malware bot"; content:"554 Mail rejected - spam detected"; >> nocase; classtype:policy-violation; threshold:type threshold, track >> by_src, count 1, seconds 60; sid:1000503; rev:2;) >> >> This is working fairly well. However, it would also be good to >> immediately block an IPs when an invalid user name is specified. I have >> looked at Fail2Ban which does a similar operation to what I'm doing >> (except on the mail server's firewall). Is there anything more >> sophisticated or a better approach to solving this problem? > > You should check the timestamps in the maillog. Courier's automatic > tarpitting and rate limit is pretty good at keeping things under control. > > Also, check whether or not you really need to enable authenticated > SMTP on port 25. In most cases you can turn this off completely, and > use only authenticated SMTP on port 587. > > Just last month, on another mailing list one unfortunate soul > discovered that he was succesfully dictionary-attacked, and had a > queue-full of spam. > > No tarpitting will help. fail2ban will work generally well, but it > won't be fool-proof. >
I turned off authentication on port 25 and this did help. I can't seem to find a better solution than fail2ban, so I will be going down that path next. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users