[CentOS] Sendmail SMTP Brute-Force Attack

On 6/14/12 11:33 PM, Gustavo Lacoste wrote:
> Dear CentOS Community
>
> Is totally clear there's no support sendmail platform today, but I need  to
> stop SMTP brute-force attack on sendmail. My server is attacked today, my
> maillog look like :
>
> 4624 at myserver.com>, proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1]
> Jun 14 19:07:01 at6412 sendmail[24627]: q5EN71jC024627: from=<>, size=3958,
> class=0, nrcpts=1, msgid=<201206142307.q5EN710u024623 at myserver.com>,
> proto=ESMTP, daemon=MTA, relay=myserver.com [127.0.0.1]
> Jun 14 19:07:23 at6412 sendmail[24868]: q5EN7M6D024868: from=<
> qmarket at qmarket.cl>, size=2193, class=0, nrcpts=2, msgid=<
> 20120614231448.1E99A13EE5F at smtp02qmarket.qmarket.cl>, proto=ESMTP,
> daemon=MTA, relay=[200.1.174.121]
> Jun 14 19:07:24 at6412 sendmail[24961]: q5EN7OT4024961: from=<
> nobody at 2012.123icq.cl>, size=4716, class=0, nrcpts=1, msgid=<
> E1SfJ8H-0005kv-JE at 2012.123icq.cl>, proto=ESMTP, daemon=MTA, relay=
> pc1.globalmac.cl [200.29.231.61] (may be forged)
> Jun 14 19:07:33 at6412 sendmail[25013]: q5EN7SqK025013: from=<
> a.pfsvtij at yahoo.com>, size=760, class=0, nrcpts=1, msgid=<
> 1531549-634033-36 at owfzdl.net>, proto=SMTP, daemon=MTA, relay=
> h095159149119.ys.dsl.sakhalin.ru [95.159.149.119]
> Jun 14 19:07:37 at6412 sendmail[25065]: q5EN7bCj025065: from=<
> en.viaimport at gmail.com>, size=4531, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=186-105-73-29.baf.movistar.cl [186.105.73.29]
>
>
> I need help for STOP this spamers right now.
>
> Thanks in advance to anyone who can guide me
>
>
> With Kind Regards,
>
>       Gustavo A. Lacoste Z.
>       Curacautín - Chile
>       Skype: knxroot
>       Msn&  Gtalk: knx.root [at] gmail.com
>       Home page: http://www.lacosox.org

Hi,

there are few solutions available to do this.

1.) install & configure fail2ban

2.) Using IP Tables: i don't know if it is applicable to you

# Fix in Place to Kick a User For 1 Minutes After Three Errors in The 
SMTP Session
# And Limit The Number of Connections Someone Could Make With a Simple 
IP Tables Rule

-A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update 
--seconds 60 --hitcount 3 -j DROP
-A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set

i trust this helps, there is another solution but you do not use Postfix.

# How many simultaneous connections any client is allowed to make to 
this service.
smtpd_client_connection_count_limit = 3

# The maximal number of connection attempts any client is allowed to 
make to this service per time unit.
smtpd_client_connection_rate_limit = 10

# The maximal number of message delivery requests that any client is 
allowed to make to this service per time unit, regardless of whether or
# not Postfix actually accepts those messages.
smtpd_client_message_rate_limit = 20

# The maximal number of recipient addresses that any client is allowed 
to send to this service per time unit, regardless of whether or not
# Postfix actually accepts those recipients.
smtpd_client_recipient_rate_limit = 500

# Clients that are excluded from connection count, connection rate, or 
SMTP request rate restrictions.
smtpd_client_event_limit_exceptions = $mynetworks

Thanks