Thanks for the reply Thomas. I hope you've been well. I don't see a way for our firewall hardware to get the lists from ASSP. That's not a question for you, just a statement that I don't think that all firewalls are able to automate the download. I've looked at SonicWall and Watchguard, and don't see a way. Sure would be helpful!
I don't know what the hacker in China was looking to accomplish by trying to authenticate over and over with a user@domain that's an at 163 dot com email address (big Chinese email host). It's a slightly distributed attack of some kind. Then the number of IP's diminished quite a lot yesterday. With all of the hacking that's going on, I'd rather just kick them. Looking long term now. I've seen the exact user ID being attempted reported elsewhere. What would AUTHUserIPfrequency do in this case? The user isn't successfully authenticating. Would the user/IP pair still be counted for a >failed< smtp auth attempt? I hear you loud and clear that "Blocking an IP permanently because of a single failed AUTH is not wise." This was a temporary measure. Is there any sense to modifying ASSP to have a second parameter list MaxAUTHAttemptsOnBlockedAUTHport that would separately count auth attempts on ports where we blocked auth altogether? Related - is there logic to creating an "SMTPAuthAllowedUsers" list to explicitly allow only certain users to do SMTP auth and have everyone else be rejected? Then there could be a count of those rejections to penalize that IP / extreme block that IP. Think what the world would be like without spammers, scammers, and hackers! On Wed, Mar 10, 2021 at 10:11 AM Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > >And I don't see a way of getting ASSP's ip lists >automatically< in the > hardware firewalls that we use. > > Any firewall is able to download the extreme-IP list using the > ASSP-Stats-interface: http://your.assp:55553/extremeblack > <http://10.69.1.60:55553/extremeblack> > RTM > > increase 'autValencePB' , if it helps > > IMHO - these auth attempts are harmless. ASSP is able to handle them in an > early state. There is no need to block those connections in a very early > state (at connection time). > > >Setting MaxAUTHErrors to 1 only works once the actor exceeds 1. > > This blocks the IP for 5-10 minutes. Blocking an IP permanently because of > a single failed AUTH is not wise. > > >strangely using the same external email address as the username > Have a look at the 'AUTHUserIPfrequency' option. Because the requests are > using the same AUTH-users every time. > > Thomas > > > > > > > Von: "K Post" <nntp.p...@gmail.com> > An: "ASSP development mailing list" < > assp-test@lists.sourceforge.net> > Datum: 09.03.2021 19:51 > Betreff: Re: [Assp-test] SMTP auth errors - block only on main > port? > ------------------------------ > > > > Hiya Doug. Good to hear from you. Thanks for the reply. > > We're all Windows here, so no iptables = no Fail2Ban :( And I don't > see a way of getting ASSP's ip lists >automatically< in the hardware > firewalls that we use. > > The actor is attempting to sign in from at least a couple dozen IP's, > strangely using the same external email address as the username. It's > >not< one of our domains. Is there a way for ASSP to do an early deny and > add the IP to a block based only on the username provided at the smtp auth > login time? bombRE and related, seem to go into effect only with the true > header/body. SMTP auth isn't in the envelope. > > Furthermore, I want to ban after even 1 failed try. Setting MaxAUTHErrors > to 1 only works once the actor exceeds 1. I don't want them to be able to > try a 2nd time. Setting it to 0 disables it. Setting to -1 blocks > immediately regardless of success - so that doesn't work, I need users to > be able to authenticate on the alternate ports. > > > > > On Tue, Mar 9, 2021 at 12:02 PM Doug Lytle <*supp...@drdos.info* > <supp...@drdos.info>> wrote: > >> Summary question: is there a way to immediately ban IP's that try SMTP > auth on a specific port, but not on other ports? Allow SMTP auth on > listenPort2, but immediately ban any IP that fails SMTP auth on port 25? > > I don't think that is currently an option with ASSP, but I currently do > that with fail2ban, since I only auth on 587 > > Doug > > > _______________________________________________ > Assp-test mailing list > *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/assp-test* > <https://lists.sourceforge.net/lists/listinfo/assp-test> > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
