[Mimedefang] detect failed auth
Tomasz Ostrowski
tometzky at batory.org.pl
Thu Oct 9 04:37:20 EDT 2014
On 2014-09-10 16:29, David F. Skoll wrote:
> Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: dfs at hydrogen.roaringpenguin.com [192.168.10.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
I've recently configured fail2ban on my CentOS5 server with blocking
based solely on this line:
> Oct 9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834: cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Installed fail2ban from EPEL. Created /etc/fail2ban/filter.d/smtp.conf:
================================================
# Fail2Ban filter for sendmail authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = sendmail
failregex = ^ ?%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be
forged\))? did not issue MAIL/EXPN/VRFY/ETRN during connection to (TLS)?MTA$
ignoreregex =
================================================
And created /etc/fail2ban/jail.local:
================================================
> [DEFAULT]
> ignoreip = 127.0.0.0/8 192.168.0.0/16
> usedns = no
>
> [ssh-iptables]
> enabled = false
>
> [smtp]
> enabled = true
> filter = smtp
> action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp, blocktype=DROP]
> logpath = /var/log/maillog
================================================
Then simply run:
# chkconfig fail2ban on
# service fail2ban start
And bruteforce attacks slowed considerably. I think this would work also
for CentOS/RHEL6 with no modifications.
I assumed that no legitimate client would connect with not issuing
MAIL/EXPN/VRFY/ETRN. Definitely not more than two times in 5 minutes to
trigger a ban.
There could be problem if some user would try to login with bad password
more than twice in 5 minutes - he would not be able to send mail for an
hour.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
More information about the MIMEDefang
mailing list