Re: [Mimedefang] detect failed auth

Thu, 09 Oct 2014 01:58:06 -0700 

On 2014-09-10 16:29, David F. Skoll wrote:


Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: 
d...@hydrogen.roaringpenguin.com [192.168.10.1] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to MTA-v6



I've recently configured fail2ban on my CentOS5 server with blocking 
based solely on this line:

Oct  9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834: 
cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to MTA


Installed fail2ban from EPEL. Created /etc/fail2ban/filter.d/smtp.conf:
================================================
# Fail2Ban filter for sendmail authentication failures
#

[INCLUDES]
before = common.conf

[Definition]
_daemon = sendmail

failregex = ^ ?%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be 
forged\))? did not issue MAIL/EXPN/VRFY/ETRN during connection to (TLS)?MTA$

ignoreregex =
================================================

And created /etc/fail2ban/jail.local:
================================================

[DEFAULT]
ignoreip = 127.0.0.0/8 192.168.0.0/16
usedns   = no

[ssh-iptables]
enabled  = false

[smtp]
enabled  = true
filter   = smtp
action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", 
protocol=tcp, blocktype=DROP]
logpath  = /var/log/maillog

================================================

Then simply run:
# chkconfig fail2ban on
# service fail2ban start


And bruteforce attacks slowed considerably. I think this would work also 
for CentOS/RHEL6 with no modifications.




I assumed that no legitimate client would connect with not issuing 
MAIL/EXPN/VRFY/ETRN. Definitely not more than two times in 5 minutes to 
trigger a ban.



There could be problem if some user would try to login with bad password 
more than twice in 5 minutes - he would not be able to send mail for an 
hour.




Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
                                                      Winnie the Pooh
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang






















					Reply via email to