Re: [exim] Handling unadvertised AUTH

Fri, 29 Apr 2016 16:20:07 -0700

Do you fail2ban? (Or could you?) You can configure fail2ban to trigger off the reject messages exim is giving in these cases. In case you are not familiar, fail2ban can add a firewall entry to block any connections for a specific IP address for a configurable amount of time. It won't help if the connections you are seeing rarely come from the same IP address.
(I haven't set up a fail2ban rule for those AUTH rejections. I just believe it can be done.) 

On 04/29/2016 03:38 PM, Phillip Carroll wrote:

Hello all,


MY exim server does not support ANY net-facing logins at all, and AUTH 
is not advertised. Yet, I am getting increasing numbers of AUTH 
attempts. I am looking for the best way to block IPs that attempt 
(have attempted) AUTH.



I am not concerned about site penetration because Exim automatically 
rejects all the AUTH attempts with "503 AUTH command used when not 
advertised".  However, there are clients (almost all with Chinese IPs) 
that are generating AUTH attempts at a rate exceeding 10 per second, 
in blasts of several minutes. This, despite sending EHLO, to which my 
server responds with a very short list:

250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP

(Some guys just can't accept no!)


The result of all these useless attempts is log pollution and wasted 
resources at best, and perhaps something akin to DOS if it keeps 
increasing. (It started out a with an attempt by a random IP every 5 
minutes, but lately seems to worsen daily.)



I suppose I could eliminate almost all of this by simply refusing 
connection to any Chinese IP based on a filter file. I copied a CIDR 
list in iplsearch acceptable format from a web site, but it contains 
4226 entries! (http://www.okean.com/chinacidr.txt)
However, this filter would probably be a worse resource drain than the 
current dropped connections. (Not sure how efficient exim's search of 
such a filter is)



My main idea now is to refuse connection using a much smaller 
self-maintained filter file that contains a list of IPs of "known bad 
actors". Where I am stymied on that is knowing how to add entries to 
the filter file inside exim, at the time AUTH is attempted (or perhaps 
other objectionable activity). I presume a custom logging file would 
not work because it would always be open while exim is running, so 
could not be opened for filtering.


Any help appreciated (including better ideas).

Phil Carroll




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to