Mailing List Archive

Auth command used when not advertised
Hi,

My mail server is being hit with auth attempts when the helo hasn't
advertised the presence of authentication - for example, this
morning for an hour:

2018-11-25 09:23:58 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (M9AIVXy9WZ) [35.231.157.15]:53324 I=[78.32.30.218]:587 AUTH command used when not advertised
2018-11-25 09:23:58 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (WHFIaBK) [35.231.157.15]:53620 I=[78.32.30.218]:587 AUTH command used when not advertised
2018-11-25 09:23:59 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (7bdz0k) [35.231.157.15]:53712 I=[78.32.30.218]:587 AUTH command used when not advertised
...
2018-11-25 10:14:59 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (RlgrRD) [35.231.157.15]:53098 I=[78.32.30.218]:587 AUTH command used when not advertised

at about a rate of 2 per second. Although that's a fairly low rate,
and doesn't cause a problem, I'd rather have a way to (eg) rate
limit such hosts to stop the log file pollution.

While it's possible to rate limit using exim ACLs, as there is no ACL
for this case, there isn't a way to automatically ratelimit such hosts
except by parsing the log file (granted, it wouldn't actually be
controlling access per se.)

My current technique to deal with such people is to spot them in the
log file, and add a blocking firewall entry when they bother me, which
is sub-optimal as it tends to stay for a very long time, so I'd rather
be able to have some way to rate limit such things to (eg) 1 attempt
per hour or so, which having exim able to "do something" in this case
beyond merely logging the fact would allow.

Maybe this would be a feature request for an ACL that gets run on
failed auth attempts, similar to the smtp notquit ACL?

(Yes, I'm aware that this is a block-cracking attempt, and yes, I'm
already using elements of Lena's implementation - but that doesn't
cover this situation.)

Thanks.

--
Russell King

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Auth command used when not advertised [ In reply to ]
Fail2ban would be a reasonable method of adding (say) 8 hour firewall
blocks when this sort of thing was seen...

* http://www.fail2ban.org/wiki/index.php/Main_Page
* https://alternativeto.net/software/fail2ban/


    Nigel.

Russell King via Exim-users wrote on 25/11/2018 10:32:
> Hi,
>
> My mail server is being hit with auth attempts when the helo hasn't
> advertised the presence of authentication - for example, this
> morning for an hour:
>
> 2018-11-25 09:23:58 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (M9AIVXy9WZ) [35.231.157.15]:53324 I=[78.32.30.218]:587 AUTH command used when not advertised
> 2018-11-25 09:23:58 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (WHFIaBK) [35.231.157.15]:53620 I=[78.32.30.218]:587 AUTH command used when not advertised
> 2018-11-25 09:23:59 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (7bdz0k) [35.231.157.15]:53712 I=[78.32.30.218]:587 AUTH command used when not advertised
> ...
> 2018-11-25 10:14:59 SMTP protocol error in "AUTH LOGIN" H=15.157.231.35.bc.googleusercontent.com (RlgrRD) [35.231.157.15]:53098 I=[78.32.30.218]:587 AUTH command used when not advertised
>
> at about a rate of 2 per second. Although that's a fairly low rate,
> and doesn't cause a problem, I'd rather have a way to (eg) rate
> limit such hosts to stop the log file pollution.
>
> While it's possible to rate limit using exim ACLs, as there is no ACL
> for this case, there isn't a way to automatically ratelimit such hosts
> except by parsing the log file (granted, it wouldn't actually be
> controlling access per se.)
>
> My current technique to deal with such people is to spot them in the
> log file, and add a blocking firewall entry when they bother me, which
> is sub-optimal as it tends to stay for a very long time, so I'd rather
> be able to have some way to rate limit such things to (eg) 1 attempt
> per hour or so, which having exim able to "do something" in this case
> beyond merely logging the fact would allow.
>
> Maybe this would be a feature request for an ACL that gets run on
> failed auth attempts, similar to the smtp notquit ACL?
>
> (Yes, I'm aware that this is a block-cracking attempt, and yes, I'm
> already using elements of Lena's implementation - but that doesn't
> cover this situation.)
>
> Thanks.
>

--

[ Nigel Metheringham --------------------------- nigel@dotdot.cloud ]
[              Ellipsis Intangible Cloudy Technologies              ]



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Auth command used when not advertised [ In reply to ]
On 25/11/2018 10:32, Russell King via Exim-users wrote:
> My mail server is being hit with auth attempts when the helo hasn't
> advertised the presence of authentication

Spot them in the smtp-quit and -notquit ACLs, matching on the SMTP
command sequence that's sitting around in some variable or other.
I see both "EHLO, AUTH" and "EHLO, RSET, AUTH" so use a pattern.

Then firewall their asses.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Auth command used when not advertised [ In reply to ]
On Nov 25, Russell King via Exim-users wrote
> While it's possible to rate limit using exim ACLs, as there is no ACL
> for this case, there isn't a way to automatically ratelimit such hosts
> except by parsing the log file (granted, it wouldn't actually be
> controlling access per se.)

Why not use Fail2Ban for this?

Thanks,

Richard

--
junix.systems/privacy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Auth command used when not advertised [ In reply to ]
> From: Russell King

> My mail server is being hit with auth attempts when the helo hasn't
> advertised the presence of authentication

I always advertise AUTH but in the rcpt ACL:

accept authenticated = *
condition = ${if !={$received_port}{25}}


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Auth command used when not advertised [ In reply to ]
On Mon, 26 Nov 2018, Nigel Metheringham via Exim-users wrote:

> From: Nigel Metheringham via Exim-users <exim-users@exim.org>
> To: Russell King <rmk@armlinux.org.uk>
> Cc: exim-users@exim.org
> Date: Mon, 26 Nov 2018 13:11:36
> Subject: Re: [exim] Auth command used when not advertised
> Reply-To: Nigel Metheringham <nigel@dotdot.cloud>
>
> Fail2ban would be a reasonable method of adding (say) 8 hour firewall
> blocks when this sort of thing was seen...
>
> * http://www.fail2ban.org/wiki/index.php/Main_Page
> * https://alternativeto.net/software/fail2ban/

A *long*, *long* time ago Tom Kistner wrote some small perl scripts
to achieve this. Used iptables on Linux to achieve the end result.
See:

https://lists.exim.org/lurker/message/20060416.091402.c5100b67.en.html

https://lists.exim.org/lurker/message/20060502.201702.5ae738bb.en.html

Once nice feature was that the "timeban" script could be directly
called from exim to handle miscreants.

I remember successfully using the "timeban" script for a while after
converting it to use the packet filter on OpenBSD. I suspect Tom's
scripts would still be useful. Although I can't say for certain as
I'm no longer involved on this area.

The download link in the above messages no longer works. I'm fairly
sure I still have copies squirrelled away somewhere.
--
Dennis Davis <dennisdavis@fastmail.fm>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Auth command used when not advertised [ In reply to ]
On 26.11.18 16:38, Richard Jones via Exim-users wrote:
> Why not use Fail2Ban for this?

This works here successfully:

in /etc/fail2ban/filter.d/exim4-auth-not-advertised.conf:

failregex = .*\) [[](?P<host>\S*)[]] AUTH command used when not
advertised *$

in /etc/fail2ban/jail.conf:

[exim4-auth-early]
enabled = true
port = smtp,smtps,submission,imap2,imap3,imaps,pop3,pop3s,2000,sieve
filter = exim4-auth-not-advertised
logpath = /var/log/exim4/mainlog
# ban almost immediately
maxretry = 2
# ban 11h+
bantime = 40000


Regards, Adrian.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/