Drop smtp connection before authentication

Hi,

Is it possible to drop smtp connection before authentication per username?

My server is congested with many attempts to authenticate with a deleted
account.

Thanks,


Edison


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, Jul 20, 2009 at 10:12:29AM -0300, Edison F Carbol wrote:
> Hi,
>
> Is it possible to drop smtp connection before authentication per username?
>
> My server is congested with many attempts to authenticate with a deleted
> account.

Sorry, I don't really understand your question.

You can probably drop the connection wherever you want to - Exim is pretty
flexible - but presumably you want to drop only /some/ connections, not all of
them.  What criteria do you intend to use to distinguish between the two?  At
what phase of the SMTP transaction would you like the connection to be
dropped?

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Den 2009-07-20 3:12, Edison F Carbol skrev:
> Hi,
>
> Is it possible to drop smtp connection before authentication per username?
> My server is congested with many attempts to authenticate with a deleted
> account.

Hi
i guess you could drop in HELO stage, based on a textfile of ip
addresses, like
deny condition =
${lookup{$sender_host_address}lsearch{banedip.txt}{yes}{no}}
and a cronjob to grep all bad ip's
grep "authenticator failed for.*" /var/log/exim4/mainlog -o | uniq -c |
grep "^\ *[0-9]\{2,4\} " | grep
"[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" -o > banedip.txt
(above baning ip where failed auth attempts >9)
on my system i grep a few other logfiles aswell, but i add the ip's this
script find to drop list in iptables, (less cputime used)

also on my system i have just now added
warn log_message = Possible hacked useraccount $authenticated_id
authenticated = *
sender_domains = !+local_domains

due to some (new?) virus/malware stealing my useres login.
so heads up

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi Dave,

My server is under a kind of attack. Lot of connections are trying to
authenticate with the same username that doesn´t exist.

I´d like to drop all connections from a specific username before smtp
authentication or any layer above.

Is it possible to get the username at acl_smtp_auth?

Thanks,


Edison


> Hi,
>
> Is it possible to drop smtp connection before authentication per username?
>
> My server is congested with many attempts to authenticate with a deleted
> account.

Sorry, I don't really understand your question.

You can probably drop the connection wherever you want to - Exim is pretty
flexible - but presumably you want to drop only /some/ connections, not all
of
them.  What criteria do you intend to use to distinguish between the two?
At
what phase of the SMTP transaction would you like the connection to be
dropped?

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

2009/7/20 Edison F Carbol <caref@...>:

> I´d like to drop all connections from a specific username before smtp
> authentication or any layer above.

Your challenge, then, is to know what username a connection is going
to authenticate with before it does so. Make sure your Exim is
compiled with

CRYSTAL_BALL=1

Peter

--
Peter Bowyer
Email: peter@...
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, Jul 20, 2009 at 02:05:45PM -0300, Edison F Carbol wrote:
> My server is under a kind of attack. Lot of connections are trying to
> authenticate with the same username that doesn´t exist.
>
> I´d like to drop all connections from a specific username before smtp
> authentication or any layer above.
>
> Is it possible to get the username at acl_smtp_auth?

When you say "from a specific username", do you mean the SMTP AUTH username?
In general, you can't drop connections "from a username" without first
allowing the AUTH to proceed, so you know what the username is.

If your server is handling the load just fine anyway, I'd say do nothing.  The
unwanted traffic will probably subside soon enough.

If it's *not* handling the load just fine, then the only suggestion I can
offer is to see if the same IPs are "attacking" again and again, and if they
are (and those IPs are *only* "attacking", they're not also performing
legitimate transactions), then block the offending IP addresses; either at
your firewall, or in acl_smtp_connect.

(acl_smtp_connect is probably easier to implement and could even be automated;
but each attacking connection still uses a non-negligible amount of server
resource).

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Dave,

This is what I´m doing now.

The first time this username try to authenticate, I get his IP at smtp auth
and then block it at acl_smtp_auth.

Thank you for your help.


Edison


> My server is under a kind of attack. Lot of connections are trying to
> authenticate with the same username that doesn´t exist.
>
> I´d like to drop all connections from a specific username before smtp
> authentication or any layer above.
>
> Is it possible to get the username at acl_smtp_auth?

When you say "from a specific username", do you mean the SMTP AUTH username?
In general, you can't drop connections "from a username" without first
allowing the AUTH to proceed, so you know what the username is.

If your server is handling the load just fine anyway, I'd say do nothing.
The
unwanted traffic will probably subside soon enough.

If it's *not* handling the load just fine, then the only suggestion I can
offer is to see if the same IPs are "attacking" again and again, and if they
are (and those IPs are *only* "attacking", they're not also performing
legitimate transactions), then block the offending IP addresses; either at
your firewall, or in acl_smtp_connect.

(acl_smtp_connect is probably easier to implement and could even be
automated;
but each attacking connection still uses a non-negligible amount of server
resource).


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, Jul 20, 2009 at 10:12:29AM -0300, Edison F Carbol wrote:
> Is it possible to drop smtp connection before authentication per username?
>
> My server is congested with many attempts to authenticate with a deleted
> account.

Here's what we use to automatically control failed authentication attempts.
If you have this in place, your server will automatically begin rejecting
hosts that send repeated auth failure attempts.

You can change the BADAUTH_LIMIT macro to any rate you like, but we use
15 failed attempts in 2 hours as the threshold.

In the global config section of your config:

   BADAUTH_LIMIT = 15 / 2h

   acl_smtp_connect = check_connection
   acl_smtp_quit = check_quit
   acl_smtp_notquit = check_notquit

In the ACL section of your config:

   check_connection:
       drop message   = Too many failed authentication attempts
            ratelimit = BADAUTH_LIMIT / noupdate / badauth:$sender_host_address

   check_quit:
       accept condition = ${if eq{$authentication_failed}{1}}
              ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

   check_notquit:
       accept condition = ${if eq{$authentication_failed}{1}}
              ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

We need the rate limiting portion in BOTH the "quit" and "notquit" sections
for this to work properly, as you don't know how the connection will
end up closing.

You also don't want to put the ratelimiting in the RCPT or DATA section,
because the connection will never get that far (they haven't authenticated!).
You can't put it in the MAIL section either because, again, they haven't
authenticated.

Thought someone else might find this useful.  Rate limits are fun.  :)

--
Dean Brooks
dean@...

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Edison F Carbol wrote:
Easily.

However .....

unless those unwanted attempts have characteristics, such as arriving from the
same IP, wherein no other active account might also exist, (old/new,
husband/wife) or at least from the same 'pool' of IP, such as a
dynamically-assigned 'connectivity' ISP user community, wherein you have
*neither* a valid user, *nor* a potential 'proper' correspondent MTA

-- in which case you can reject on source IP or source CIDR range either in
Exim's 'connect' phase or just a bit later, (or even in a firewall ahead of Exim...)


-- in any other case, you will have to do enough 'qualifying' to prevent harm to
other arrivals...

...that you might just as well let the authorization fail.

You could be saving the 'cost' of setting-up an encrypted session and doing some
form of DB lookup to fail the auth so it IS worth the attempt.

Personally, I'd be tempted to divert the connection and sort of tarpit it,
and/or allow a POP/IMAP read connection and pop a 'no longer active' notice into
his 'Mailbox' (or known forwarding address) each time he makes an attempt to
auth onto Exim for sending.

That might motivate the former user to change the MUA settings that are trying
to automagically log in to the dead account.

HTH,

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, Jul 20, 2009 at 11:57 AM, Dean Brooks<dean@...> wrote:
> You can change the BADAUTH_LIMIT macro to any rate you like, but we use
> 15 failed attempts in 2 hours as the threshold.

In the event that a user gets blocked, how do you expediently handle
the case where tech support helps a user fix the password and then
retries to send.  What do you do to puge the db file that holds this
info?  Is it actually in a hints database?  Or is it all in memory at
this point?

--
Regards...      Todd

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/