Nathan Harris writes:
For a while now our server has been seeing a lot of brute force authentication attacks. Of course the source of these attacks is constantly changing. My firewall (pfSense) is running Snort and I am using the following custom rules to help.alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH brute force attack"; content:"535 Authentication failed."; nocase; classtype:attempted-user; threshold:type threshold, track by_src, count 2, seconds 60; sid:1000500; rev:6;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP ERROR potential spam or malware bot"; content:"502 ESMTP command error"; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 2, seconds 60; sid:1000501; rev:4;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAMHAUS potential spam or malware bot"; content:"511 https://www.spamhaus.org";; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 1, seconds 60; sid:1000502; rev:4;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SPAM detected spam or malware bot"; content:"554 Mail rejected - spam detected"; nocase; classtype:policy-violation; threshold:type threshold, track by_src, count 1, seconds 60; sid:1000503; rev:2;) This is working fairly well. However, it would also be good to immediately block an IPs when an invalid user name is specified. I have looked at Fail2Ban which does a similar operation to what I'm doing (except on the mail server's firewall). Is there anything more sophisticated or a better approach to solving this problem?
You should check the timestamps in the maillog. Courier's automatic tarpitting and rate limit is pretty good at keeping things under control.
Also, check whether or not you really need to enable authenticated SMTP on port 25. In most cases you can turn this off completely, and use only authenticated SMTP on port 587.
Just last month, on another mailing list one unfortunate soul discovered that he was succesfully dictionary-attacked, and had a queue-full of spam.
No tarpitting will help. fail2ban will work generally well, but it won't be fool-proof.
pgpEc0GfuDjE6.pgp
Description: PGP signature
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
