[CentOS] Sendmail SMTP Brute-Force Attack

Sat Jun 16 01:10:32 UTC 2012
Gustavo Lacoste <gustavo at lacosox.org>

Thanks guys!, John you can send me a simple filter for fail2ban+SMTP? I
tried use the following filters, but this is no sufficient for my yet.


*/etc/fail2ban/filter.d/sendmail.conf*

[Definition]
failregex = \[<HOST>\], reject.*\.\.\. Relaying denied
            (User unknown)\n* \[<HOST>\]
            badlogin: .* \[<HOST>\] plaintext .* SASL
            reject=550 5.7.1 Blocked, look at
http://cbl.abuseat.org/lookup.cgi\?ip=<HOST>
ignoreregex =

*/etc/fail2ban/filter.d/dovecot-pop3imap.conf *
[Definition]
failregex = pam.*dovecot.*(?:authentication
failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)







With Kind Regards,

     Gustavo A. Lacoste Z.
     Curacautín - Chile
     Skype: knxroot
     Msn & Gtalk: knx.root [at] gmail.com
     Home page: http://www.lacosox.org
- -
*Por favor, evite enviarme documentos adjuntos en formato Word o PowerPoint.
Lea http://www.gnu.org/philosophy/no-word-attachments.es.html*


2012/6/15 John Hinton <webmaster at ew3d.com>

> On 6/14/2012 8:58 PM, Gustavo Lacoste wrote:
> > The problem with my server is: I use it to offer webhosting services.
> Some
> > customers using Outlook are blocked because they use black listed ips
> (ips
> > simply are dynamic).
> >
> >
> That is the same problem I am dealing with. You have to set up a dual
> mailserver system with outbound set to not use the blacklist used on the
> inbound server or you will block some of your good users who happen to
> land on a dirty IP address from time to time. The situation is the same
> with SpamAssassin or any other anti-spam system in place.
>
> Sendmail and Postfix work the same in this regard. And I'm still not
> certain which one I like the most, after installing Postfix on our last
> 4 systems. I think the logging from Sendmail is way more logical (easier
> to comprehend), but maybe that is just because I have been reading those
> logs for many years.
>
> I would still take a look at Fail2Ban. You need to be very careful with
> your rules, but it is extremely flexible. You only provided about 30
> seconds from your mail log. Fail2ban will look over a much greater time
> spam and activate whatever blocks you enable or write. I have written
> blocks based on not passing certain spam tests, such as the Spamhaus RBL
> (and yes we pay for that service). But I really didn't care for our
> systems to run the repeated DNS lookups. The rule blocks them at the
> firewall and over time, the number of blocks has decreased as many
> spammers have just quit trying. I have rules to block spammers mining
> for good email addresses (some of our domains were getting 10s of
> thousands of attempts per day). I also use Fail2Ban for FTP, SMTP and
> just about every service login, with adjusted numbers of attempts and
> shorter or longer times based on how the rules might adversely effect
> one of our actual users. Higher security risk services with low volume
> use by users, get blocked after fewer failed attempts and for much
> longer times.
>
> FYI, Spamhaus is blocking around 90% of all our inbound emails as spam.
> That number should actually be higher, but Fail2Ban does not allow a
> number of messages in due to the firewall blocks, so those don't get
> figured in to that total. Spamhaus is perfect in blocking IP addresses
> that positively were used to send spam, but dynamic addresses do get
> caught creating some false positives.
>
> --
> John Hinton
> 877-777-1407 ext 502
> http://www.ew3d.com
> Comprehensive Online Solutions
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>