Mailing List Archive

AUTH command used when not advertised
Exim 4.72 (Centos 6)


A MTA experienced 20 minutes (circa 1,722 attempts) of:

(from logwatch)

2015-04-17 22:56:16 SMTP protocol error in "AUTH LOGIN"
H=(SRV) [88.119.254.244]:50272 I=[xx.xx.xx.xx]:25 AUTH
command used when not advertised: 1 Time(s)

Have changed:-

smtp_accept_max = 5
smtp_accept_max_per_connection = 5
smtp_accept_max_per_host = 5

whilst assuming it will not prevent future abuse.


If I create acl_smtp_auth = acl_reject_auth

acl_reject_auth:

warn message = ${run{SHELL -c "PHP EXIM_ALERT
(code to bloke IP address in IPtables......)

deny message = (rejection message) ......


will this ACL only intercept log-on attempts ?


Thank you.

--
Regards,

Paul.
England, EU. Je suis Charlie.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: AUTH command used when not advertised [ In reply to ]
Hi,

There’s a very good reading about this:
https://github.com/Exim/exim/wiki/BlockCracking

> Le 18 avr. 2015 à 02:46, Always Learning <exim@u65.u22.net> a écrit :
>
>
> Exim 4.72 (Centos 6)
>
>
> A MTA experienced 20 minutes (circa 1,722 attempts) of:
>
> (from logwatch)
>
> 2015-04-17 22:56:16 SMTP protocol error in "AUTH LOGIN"
> H=(SRV) [88.119.254.244]:50272 I=[xx.xx.xx.xx]:25 AUTH
> command used when not advertised: 1 Time(s)
>
> Have changed:-
>
> smtp_accept_max = 5
> smtp_accept_max_per_connection = 5
> smtp_accept_max_per_host = 5
>
> whilst assuming it will not prevent future abuse.
>
>
> If I create acl_smtp_auth = acl_reject_auth
>
> acl_reject_auth:
>
> warn message = ${run{SHELL -c "PHP EXIM_ALERT
> (code to bloke IP address in IPtables......)
>
> deny message = (rejection message) ......
>
>
> will this ACL only intercept log-on attempts ?
>
>
> Thank you.
>
> --
> Regards,
>
> Paul.
> England, EU. Je suis Charlie.
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: AUTH command used when not advertised [ In reply to ]
On Sat, 2015-04-18 at 08:36 +0200, nb wrote:

> Hi,
>
> There’s a very good reading about this:
> https://github.com/Exim/exim/wiki/BlockCracking


Thank you. It looks very useful particularly


drop authenticated = *


as the attacked MTA have no logging-in facility.


Paul.
England, EU. Je suis Charlie.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: AUTH command used when not advertised [ In reply to ]
Take a look at fail2ban.

--
Jeremy McSpadden | Flux Labs
Local - 850-250-5590x501<tel:850-250-5590;501> | Mobile - 850-890-2543<tel:850-890-2543>
Fax - 850-254-2955<tel:850-254-2955> | Toll Free - 877-699-FLUX<tel:877-699-FLUX>
Web - http://www.fluxlabs.net<http://www.fluxlabs.net/>


On Apr 17, 2015, at 7:50 PM, Always Learning <exim@u65.u22.net<mailto:exim@u65.u22.net>> wrote:


Exim 4.72 (Centos 6)


A MTA experienced 20 minutes (circa 1,722 attempts) of:

(from logwatch)

2015-04-17 22:56:16 SMTP protocol error in "AUTH LOGIN"
H=(SRV) [88.119.254.244]:50272 I=[xx.xx.xx.xx]:25 AUTH
command used when not advertised: 1 Time(s)

Have changed:-

smtp_accept_max = 5
smtp_accept_max_per_connection = 5
smtp_accept_max_per_host = 5

whilst assuming it will not prevent future abuse.


If I create acl_smtp_auth = acl_reject_auth

acl_reject_auth:

warn message = ${run{SHELL -c "PHP EXIM_ALERT
(code to bloke IP address in IPtables......)

deny message = (rejection message) ......


will this ACL only intercept log-on attempts ?


Thank you.

--
Regards,

Paul.
England, EU. Je suis Charlie.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Auth command used when not advertised [ In reply to ]
> 3. des. 2018 kl. 19:00 skrev Dennis Davis via Exim-users <exim-users@exim.org>:
>
>> On Mon, 26 Nov 2018, Nigel Metheringham via Exim-users wrote:
>>
>> From: Nigel Metheringham via Exim-users <exim-users@exim.org>
>> To: Russell King <rmk@armlinux.org.uk>
>> Cc: exim-users@exim.org
>> Date: Mon, 26 Nov 2018 13:11:36
>> Subject: Re: [exim] Auth command used when not advertised
>> Reply-To: Nigel Metheringham <nigel@dotdot.cloud>
>>
>> Fail2ban would be a reasonable method of adding (say) 8 hour firewall
>> blocks when this sort of thing was seen...
>>
>> * http://www.fail2ban.org/wiki/index.php/Main_Page
>> * https://alternativeto.net/software/fail2ban/
>
> A *long*, *long* time ago Tom Kistner wrote some small perl scripts
> to achieve this. Used iptables on Linux to achieve the end result.
> See:
>
> https://lists.exim.org/lurker/message/20060416.091402.c5100b67.en.html
>
> https://lists.exim.org/lurker/message/20060502.201702.5ae738bb.en.html
>
> Once nice feature was that the "timeban" script could be directly
> called from exim to handle miscreants.
>
> I remember successfully using the "timeban" script for a while after
> converting it to use the packet filter on OpenBSD. I suspect Tom's
> scripts would still be useful. Although I can't say for certain as
> I'm no longer involved on this area.
>
> The download link in the above messages no longer works. I'm fairly
> sure I still have copies squirrelled away somewhere.

The wayback machine has a copy :)

http://web.archive.org/web/20080108232538/http://duncanthrax.net/timeban/timeban


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Auth command used when not advertised [ In reply to ]
On Mon, 3 Dec 2018, Jan Ingvoldstad via Exim-users wrote:

> From: Jan Ingvoldstad via Exim-users <exim-users@exim.org>
> To: exim-users@exim.org
> Date: Mon, 3 Dec 2018 19:08:53
> Subject: Re: [exim] Auth command used when not advertised
> Reply-To: Jan Ingvoldstad <frettled@gmail.com>

...

> > The download link in the above messages no longer works. I'm
> > fairly sure I still have copies squirrelled away somewhere.
>
> The wayback machine has a copy :)
>
> http://web.archive.org/web/20080108232538/http://duncanthrax.net/timeban/timeban

But not, as far as I can tell, an archived copy of the "logexec"
perl script that Tom used for scanning logs. So, for completeness,
I've attached a copy.

...just goes to show that being an inveterate hoarder will
occasionally pay dividends :-)
--
Dennis Davis <dennisdavis@fastmail.fm>