Re: [exim] Stopping Bruteforceattacks

Wed, 25 Jul 2012 08:51:16 -0700 

Am 25.07.2012 17:08, schrieb Cyborg:

Am 25.07.2012 16:33, schrieb [email protected]:

2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
http://www.mail-archive.com/[email protected]/msg41893.html
or the same message:
https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html



acl_check_auth:
drop message = authentication is allowed only once per message in order \ 
                  to slow down bruteforce cracking
        set acl_m_auth = ${eval10:0$acl_m_auth+1}
        condition = ${if >{$acl_m_auth}{2}}
        delay = 22s
Is there any variable, which holds the "username" of the AUTH command IF the auth fails ?
2012-07-25 17:29:54 no IP address found for host static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from [216.214.153.238]) 
2012-07-25 17:29:54 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:29:54 plain authenticator failed for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication data (set_id=toby) 2012-07-25 17:32:04 no IP address found for host static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from [216.214.153.238]) 
2012-07-25 17:32:04 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:32:04 plain authenticator failed for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication data (set_id=tyler) 2012-07-25 17:34:14 no IP address found for host static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from [216.214.153.238]) 
2012-07-25 17:34:15 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:34:15 plain authenticator failed for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication data (set_id=sebastian) 
2012-07-25 17:35:00 no host name found for IP address 27.41.155.167
That Windows PC ( with telnet and VPN service :D ) btw. does not raise a ratelimit, as it only connects once and has a 120 seconds timer.
Exim logs "set_id=sebastian" and i need that name to make a compare to the database to check if its even possible it's not a bruteforcer.
My thoughts are, brute forcer try a list of given names and passwords, but do not start with the correct name. Why not, because if the have the name, they also got the password from the used trojan horse. That will not be true always, but in most cases it will be a valid assumption, don't you agree ?
btw. our unfriendly windows server (s.a.) is now blocked the old fashion way :) 




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to