On 2014-09-10 16:29, David F. Skoll wrote:
Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670:
d...@hydrogen.roaringpenguin.com [192.168.10.1] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
I've recently configured fail2ban on my CentOS5 server with blocking
based solely on this line:
Oct 9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834:
cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Installed fail2ban from EPEL. Created /etc/fail2ban/filter.d/smtp.conf:
================================================
# Fail2Ban filter for sendmail authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = sendmail
failregex = ^ ?%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be
forged\))? did not issue MAIL/EXPN/VRFY/ETRN during connection to (TLS)?MTA$
ignoreregex =
================================================
And created /etc/fail2ban/jail.local:
================================================
[DEFAULT]
ignoreip = 127.0.0.0/8 192.168.0.0/16
usedns = no
[ssh-iptables]
enabled = false
[smtp]
enabled = true
filter = smtp
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp",
protocol=tcp, blocktype=DROP]
logpath = /var/log/maillog
================================================
Then simply run:
# chkconfig fail2ban on
# service fail2ban start
And bruteforce attacks slowed considerably. I think this would work also
for CentOS/RHEL6 with no modifications.
I assumed that no legitimate client would connect with not issuing
MAIL/EXPN/VRFY/ETRN. Definitely not more than two times in 5 minutes to
trigger a ban.
There could be problem if some user would try to login with bad password
more than twice in 5 minutes - he would not be able to send mail for an
hour.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang