[CentOS] Sendmail SMTP Brute-Force Attack

Sat Jun 16 15:08:25 UTC 2012
John Hinton <webmaster at ew3d.com>

On 6/15/2012 9:10 PM, Gustavo Lacoste wrote:
> Thanks guys!, John you can send me a simple filter for fail2ban+SMTP? I
> tried use the following filters, but this is no sufficient for my yet.
>
>
> */etc/fail2ban/filter.d/sendmail.conf*
>
> [Definition]
> failregex = \[<HOST>\], reject.*\.\.\. Relaying denied
>              (User unknown)\n* \[<HOST>\]
>              badlogin: .* \[<HOST>\] plaintext .* SASL
>              reject=550 5.7.1 Blocked, look at
> http://cbl.abuseat.org/lookup.cgi\?ip=<HOST>
> ignoreregex =
>
> */etc/fail2ban/filter.d/dovecot-pop3imap.conf *
> [Definition]
> failregex = pam.*dovecot.*(?:authentication
> failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
>
First, I switched to Postfix on my last CentOS 5 and all CentOS 6 
installs. These rules are from v5 boxes, but are pretty old now. My 
strongest rules were on CentOS 4 systems, which have been retired, 
trashed or recycled. Make sure they match up to your logging.

Dovecot Auth Failures:

failregex = dovecot-auth: pam_unix\(dovecot:auth\): authentication 
failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* 
rhost=<HOST>(?:\s+user=.*)?\s*$

Spamhaus Failures:

failregex = sendmail.*?(?:ruleset=check_relay).*  relay=<HOST> .* 
?reject=550 5\.7\.1 Email rejected due to Unsolicited Bulk Email \[xbl\] 
policies see: http://spamhaus\.org/

Plug in what you want for xbl. This catches almost all of our blocks. I 
cannot use pbl therefor zen due to outbound from pbl listed networks. Or 
at least that is how I understand it. I never tried.

These systems were never what I would call production servers and 
apparently there was never a need to catch the user unknown errors. 
Unfortunately, my rules for that are gone now for Sendmail. Also, I'm 
not good at regexs. Pretty much I started with the exact log containing 
the failure and worked back from there to what I have.

I have noted that Fail2Ban maintainers seem to be supporting Postfix. I 
think I've been grabbing it from epel or maybe dag. Most of the rules 
work out of the box. But I'd never suggest that Postfix is better than 
Sendmail, nor would I suggest you choose one over the other.


-- 
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions