Date: Mon, 15 Jun 2015 12:43:45 -0700 From: Doug Hardie <bc979@lafn.org> To: Matthias Apitz <guru@unixarea.de> Cc: FreeBSD - <freebsd-questions@freebsd.org> Subject: Re: Sendmail Modification Message-ID: <59F87B01-14B2-4576-BB11-0F6EAD9121E8@lafn.org> In-Reply-To: <20150615091058.GA2965@c720-r276659> References: <BFE727A9-33F5-4FB1-9C6D-46312AEE57AE@lafn.org> <20150615091058.GA2965@c720-r276659>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 15 June 2015, at 02:10, Matthias Apitz <guru@unixarea.de> wrote: >=20 > El d=C3=ADa Monday, June 15, 2015 a las 01:51:29AM -0700, Doug Hardie = escribi=C3=B3: >=20 >> I need to modify sendmail such that when a SMTP-AUTH request fails, = sendmail drops the connection. I am constantly being hit by password = guessing attempts. My first thought was to introduce a 1 or 2 minute = delay after an authentication failure. However, I suspect the attackers = would just open a new connection and leave me with bunches of = connections waiting to time out. Hence the need to drop the connection. >>=20 >> Looking through the code it appears there are 2 places in srvrsmtp.c = where the SASL return code is not SASL_OK or SASL_CONT. An "AUTH = failure=E2=80=9D is logged in both those instances. I believe that an = exit right after the RESET_SASLCONN would do what I need. Does this = appear to be the right place? >>=20 >=20 > What would be the benefit from such a reset/exit? The attacker would = be > fire up the next connection with the next password guess. Can you > identify the source IP addr and if so just block it with ipfilter or > some firewall I have been using the equivalent of fail2ban for over 4 years now. I = have blocked all non-us IP addresses and over 4K US IP addresses. = Doesn=E2=80=99t help anymore. I get thousands of connections daily = attempting password guessing. The benefit is that they have to = renegotiate a SSL connection which I suspect will break most of their = scripts. It will at least place more of a burden on their systems. The = SMTP protocol uses almost zero overhead to try multiple passwords.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59F87B01-14B2-4576-BB11-0F6EAD9121E8>