>And I don't see a way of getting ASSP's ip lists >automatically< in the hardware firewalls that we use.
Any firewall is able to download the extreme-IP list using the ASSP-Stats-interface: http://your.assp:55553/extremeblack RTM increase 'autValencePB' , if it helps IMHO - these auth attempts are harmless. ASSP is able to handle them in an early state. There is no need to block those connections in a very early state (at connection time). >Setting MaxAUTHErrors to 1 only works once the actor exceeds 1. This blocks the IP for 5-10 minutes. Blocking an IP permanently because of a single failed AUTH is not wise. >strangely using the same external email address as the username Have a look at the 'AUTHUserIPfrequency' option. Because the requests are using the same AUTH-users every time. Thomas Von: "K Post" <nntp.p...@gmail.com> An: "ASSP development mailing list" <assp-test@lists.sourceforge.net> Datum: 09.03.2021 19:51 Betreff: Re: [Assp-test] SMTP auth errors - block only on main port? Hiya Doug. Good to hear from you. Thanks for the reply. We're all Windows here, so no iptables = no Fail2Ban :( And I don't see a way of getting ASSP's ip lists >automatically< in the hardware firewalls that we use. The actor is attempting to sign in from at least a couple dozen IP's, strangely using the same external email address as the username. It's >not< one of our domains. Is there a way for ASSP to do an early deny and add the IP to a block based only on the username provided at the smtp auth login time? bombRE and related, seem to go into effect only with the true header/body. SMTP auth isn't in the envelope. Furthermore, I want to ban after even 1 failed try. Setting MaxAUTHErrors to 1 only works once the actor exceeds 1. I don't want them to be able to try a 2nd time. Setting it to 0 disables it. Setting to -1 blocks immediately regardless of success - so that doesn't work, I need users to be able to authenticate on the alternate ports. On Tue, Mar 9, 2021 at 12:02 PM Doug Lytle <supp...@drdos.info> wrote: >> Summary question: is there a way to immediately ban IP's that try SMTP auth on a specific port, but not on other ports? Allow SMTP auth on listenPort2, but immediately ban any IP that fails SMTP auth on port 25? I don't think that is currently an option with ASSP, but I currently do that with fail2ban, since I only auth on 587 Doug _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
