Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

ratelimit based on invalid authentication

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


arekm at maven

Jul 8, 2012, 1:11 PM

Post #1 of 4 (481 views)
Permalink
ratelimit based on invalid authentication
Hi,

Is there a way to rate limit host based on invalid authentication? I'm
limiting on lack of auth but how to do the similar thing for invalid auth?

2012-07-08 22:09:33 login authenticator failed for (aabb) [x.x.x.x]: 535
Incorrect authentication data (set_id=...)
--
Arkadiusz Miƛkiewicz, arekm / maven.pl

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Jul 8, 2012, 6:55 PM

Post #2 of 4 (470 views)
Permalink
Re: ratelimit based on invalid authentication [In reply to]
On Sun, Jul 08, 2012 at 10:11:17PM +0200, Arkadiusz Mi?kiewicz wrote:
> Is there a way to rate limit host based on invalid authentication? I'm
> limiting on lack of auth but how to do the similar thing for invalid auth?
>
> 2012-07-08 22:09:33 login authenticator failed for (aabb) [x.x.x.x]: 535
> Incorrect authentication data (set_id=...)

I have included below the configuration we are using to do this. If
you have this in place, your server will automatically begin rejecting
hosts that send repeated auth failure attempts.

You can change the BADAUTH_LIMIT macro below to any rate you like, but
we use 15 failed attempts within 2 hours as our threshold.

In the global config section of your config:

BADAUTH_LIMIT = 15 / 2h

acl_smtp_connect = check_connection
acl_smtp_quit = check_quit
acl_smtp_notquit = check_notquit

In the ACL section of your config:

check_connection:
drop message = Too many failed authentication attempts
ratelimit = BADAUTH_LIMIT / noupdate / badauth:$sender_host_address

check_quit:
accept condition = ${if eq{$authentication_failed}{1}}
ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

check_notquit:
accept condition = ${if eq{$authentication_failed}{1}}
ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

The rate limiting counters are incremented in both the "quit" and
"notquit" sections. Both are needed as you don't know if the
connection will end up closing gracefully. Failed authentications
will immediately go to either the check_quit or check_notquit acls.

The entry in check_connection doesn't increment the counters, it only
reads from them, and drops the connection if over the threshold. You
can't put the ratelimiting in the MAIL, RCPT or DATA sections because
the connection will never get that far (they haven't authenticated!).

Hope this helps.

--
Dean Brooks
dean [at] iglou

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


tlyons at ivenue

Jul 8, 2012, 8:12 PM

Post #3 of 4 (466 views)
Permalink
Re: ratelimit based on invalid authentication [In reply to]
On Sun, Jul 8, 2012 at 6:55 PM, Dean Brooks <dean [at] iglou> wrote:
>
> I have included below the configuration we are using to do this. If
> you have this in place, your server will automatically begin rejecting
> hosts that send repeated auth failure attempts.
>
> You can change the BADAUTH_LIMIT macro below to any rate you like, but
> we use 15 failed attempts within 2 hours as our threshold.

Hmmm, your code is simple yet elegant. Very nice! I'd like to do
this same thing, but I need it to work across load balanced servers so
I need the data to be stored in a central location such as memcache.
I'll see if I can wrangle up some kinda way to do that.

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


Lena at lena

Jul 9, 2012, 6:29 AM

Post #4 of 4 (474 views)
Permalink
Re: ratelimit based on invalid authentication [In reply to]
> From: Arkadiusz Mi?kiewicz

> Is there a way to rate limit host based on invalid authentication?

WARNTO = abuse [at] example
EXIMBINARY = /usr/local/sbin/exim -f root
SHELL = /bin/sh
acl_smtp_auth = acl_check_auth
acl_smtp_quit = acl_check_quit
acl_smtp_notquit = acl_check_notquit
acl_smtp_mail = acl_check_mail
acl_smtp_connect = acl_check_connect

begin acl
acl_check_auth:
drop message = authentication is allowed only once per message in order \
to slow down bruteforce cracking
set acl_m_auth = ${eval10:0$acl_m_auth+1}
condition = ${if >{$acl_m_auth}{2}}
delay = 22s

drop message = blacklisted for bruteforce cracking attempt
set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
condition = ${if >{$acl_c_authnomail}{4}}
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | EXIMBINARY WARNTO"}}

accept

acl_check_quit:
warn condition = ${if def:authentication_failed}
condition = $authentication_failed
logwrite = :reject: quit after authentication failed: \
${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
ratelimit = 7 / 5m / strict / per_conn
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | EXIMBINARY WARNTO"}}

acl_check_notquit:
warn condition = ${if def:authentication_failed}
condition = $authentication_failed
logwrite = :reject: $smtp_notquit_reason after authentication failed: \
${sg{$sender_rcvhost}{\N[\n\t]+\N}{\040}}
condition = ${if eq{$smtp_notquit_reason}{connection-lost}}
ratelimit = 7 / 5m / strict / per_conn
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | EXIMBINARY WARNTO"}}

acl_check_mail:
accept set acl_c_authnomail = 0

acl_check_connect:
drop message = $sender_host_address locally blacklisted for a bruteforce \
auth (login+password) cracking attempt
condition = ${if exists{$spool_directory/blocked_IPs}}
condition = ${lookup{$sender_host_address}lsearch\
{$spool_directory/blocked_IPs}{1}{0}}

accept


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.