On Mon, May 18, 2015 at 07:49:33PM +0000, [email protected] wrote:
> Hello guys,
>
Hello,
> I have a question, it seems that OpenSMTPD does not support "bad rcpt
> throttling", this is a feature that I am using in sendmail to prevent/limit
> DoS/DDoS attack and other hacks against smtp.
>
OpenSMTPD does not support "bad rcpt throttling" as a specific mechanism
but supports a more generic "bad command throttling" where a bad command
is any command that has not helped moved the session forward.
If you accumulate enough bad commands in a row and that your session has
not moved forward, you get kicked, which is a hard disconnect.
See bottom of this mail.
Bad clients can then be blocked with a packet filter (just an example):
pass inet proto tcp from any to any port smtp flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 15/5, overload <bruteforce>
flush global)
> I have found browsing OpenSMTPD code that there is a hardcoded parameter
> called max_failures_per_session but I am not sure if this will work in my
> case.
>
Nope, forget about that.
> In sendmail configuration parameter is called BAD_RCPT_THROTTLE
>
> Quick read about it:
> www.securelyspeaking.com/badrcptthrottlesendmail.txt
>
> Without it my sendmail was quite often bombarded with all kind of spam/hacks
> and other kind of bad traffic that was killing sendmail and generating
> gazillions of dns requests.
>
> Would be great if you let me know it OpenSMTPD can handle it.
>
It doesn't handle it like Sendmail does, it uses a different approach.
OpenSMTPD wants to avoid hogging connections so it will kick rather than
keeping misbehaving clients longer with slow replies.
However it is still possible to "slow reply" to a misbehaving client. It
can be achieved by writing a filter that will delay the answer to a RCPT
command if a client has had more than N.
The easiest way to achieve it is to run spamd and using the PF rule that
I pasted above to redirect all addresses part of <bruteforce> to it.
$ nc mx1.poolp.org 25
220 mx1.poolp.org ESMTP OpenSMTPD
HELO debug.poolp.org
250 mx1.poolp.org Hello debug.poolp.org [77.132.86.20], pleased to meet you
MAIL FROM:<[email protected]>
250 2.0.0: Ok
RCPT TO:<[email protected]>
550 Invalid recipient
RCPT TO:<[email protected]>
550 Invalid recipient
RCPT TO:<[email protected]>
550 Invalid recipient
RCPT TO:<[email protected]>
[connection dropped]
$ sudo smtpctl show stats | grep kick
smtp.kick=288
$ sudo tail -5 /var/log/maillog
May 19 08:40:36 poolp smtpd[1770]: smtp-in: session 3e1b7d69ac8b9e1b:
connection from host 20.86.132.77.rev.sfr.net [77.132.86.20] established
May 19 08:41:00 poolp smtpd[1770]: smtp-in: session 3e1b7d69ac8b9e1b: received
invalid command: "RCPT TO:<[email protected]>"
May 19 08:41:07 poolp smtpd[1770]: smtp-in: session 3e1b7d69ac8b9e1b: received
invalid command: "RCPT TO:<[email protected]>"
May 19 08:41:14 poolp smtpd[1770]: smtp-in: session 3e1b7d69ac8b9e1b: received
invalid command: "RCPT TO:<[email protected]>"
May 19 08:41:20 poolp smtpd[1770]: smtp-in: session 3e1b7d69ac8b9e1b:
connection from host 20.86.132.77.rev.sfr.net [77.132.86.20] closed (session
not moving forward)
> And thanks for your great work!
>
>
NP
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
