l...@lena.kiev.ua wrote:
From: lee<l...@yun.yagibdah.de>
is it possible to automatically blacklist clients that repeatedly fail
SMTP authentication?
Exim dropped the connections after so many failed non-mail commands:
Not many: default for smtp_accept_max_nonmail is 10.
What I have in mind is to simply have exim deny connections (or all
auth attempts) from the IP in question after the authentication failed
so many times --- perhaps that?s a feature already built in?
If it?s not a built-in feature, perhaps I can make it so that exim
appends the IPs in question to some file which is used for a
blacklist.
LIM = 100
PERIOD = 1h
WARNTO = ab...@example.com
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
...
begin acl
acl_check_auth:
drop message = authentication is allowed only once per message in order \
to slow down bruteforce cracking
set acl_m_auth = ${eval10:0$acl_m_auth+1}
condition = ${if>{$acl_m_auth}{2}}
delay = 22s
drop message = blacklisted for bruteforce cracking attempt
set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
condition = ${if>{$acl_c_authnomail}{4}}
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | EXIMBINARY WARNTO"}}
accept
acl_check_mail:
accept set acl_c_authnomail = 0
acl_check_connect:
...
drop message = $sender_host_address locally blacklisted for a bruteforce \
auth (login+password) cracking attempt
condition = ${if exists{$spool_directory/blocked_IPs}}
condition = ${lookup{$sender_host_address}lsearch\
{$spool_directory/blocked_IPs}{1}{0}}
accept
acl_check_quit:
warn condition = ${if def:authentication_failed}
condition = $authentication_failed
logwrite = :reject: quit after authentication failed: \
${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
ratelimit = 7 / 5m / strict / per_conn
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | EXIMBINARY WARNTO"}}
acl_check_notquit:
warn condition = ${if def:authentication_failed}
condition = $authentication_failed
logwrite = :reject: $smtp_notquit_reason after authentication failed: \
${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
acl_check_rcpt:
...
accept hosts = !@[] : +relay_from_hosts
set acl_m_user = $sender_host_address
# or an userid from RADIUS
condition = ${if exists{$spool_directory/blocked_relay_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_relay_users}{1}{0}}
control = freeze/no_tell
add_header = X-Relayed-From: $acl_m_user
accept hosts = !@[] : +relay_from_hosts
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / relayuser-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_relay_users; \
\N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
because has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
add_header = X-Relayed-From: $acl_m_user
accept hosts = +relay_from_hosts
control = submission/domain=
accept authenticated = *
set acl_m_user = $authenticated_id
# in case of mailboxes in /var/mail: ${sg{$authenticated_id}{\N\W.*$\N}{}}
condition = ${if exists{$spool_directory/blocked_authenticated_users}}
condition = ${lookup{$acl_m_user}lsearch\
{$spool_directory/blocked_authenticated_users}{1}{0}}
control = freeze/no_tell
add_header = X-Authenticated-As: $acl_m_user
accept authenticated = *
!verify = recipient/defer_ok/callout=10s,defer_ok,use_sender
ratelimit = LIM / PERIOD / per_rcpt / user-$acl_m_user
continue = ${run{SHELL -c "echo $acl_m_user \
>>$spool_directory/blocked_authenticated_users; \
\N{\N echo Subject: user $acl_m_user blocked; echo; echo because \
has sent mail to LIM invalid recipients during PERIOD.; \
\N}\N | EXIMBINARY WARNTO"}}
control = freeze/no_tell
add_header = X-Authenticated-As: $acl_m_user
accept authenticated = *
condition = ${if !={$received_port}{25}}
control = submission/domain=
...
The checks in rcpt - for spamming from trojaned windozes in LAN and
using passwords stolen with trojans. The check is based on the fact
that lists of email addresses spammers send to contain very many
non-existent addresses.
Lena,
Clever!
But it begs a question:
IF 'in LAN' really does mean 'Local...' and taking as a given that
protecting WinDoze from infection is not possible and never will be,
- could you instead operate internally on ONLY a non-standard submission
port and protocol such that 'house configured' MTA would work, but bots
assuming 25, 465, 587 and their respective protocols would not even FIND
the 'real' submission port? (and could be tarpitted on internal-IP
ports 25 & 587.
NB: We use port 24 for our own internals in a like manner, but also
enjoy the privilege of not supporting any WinBoxen...
Bill
--
韓家標
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
