Mailing List Archive

Stopping Bruteforceattacks
Hi,


does anyone have a working solution for this :


2012-07-25 07:07:09 H=([188.72.183.17]) [188.72.183.17]
F=<jvkzwgfq@chj.info> rejected RCPT <database@benderirc.de>: you have
been blacklisted.
2012-07-25 07:09:11 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
2012-07-25 07:11:22 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:11:22 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=cameron)
2012-07-25 07:13:32 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:13:33 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=kieran)
2012-07-25 07:15:43 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:15:43 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=jayden)
2012-07-25 07:17:54 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:17:54 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=jake)
2012-07-25 07:20:04 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:20:04 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=robert)
2012-07-25 07:22:13 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:22:13 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=harvey)
2012-07-25 07:24:23 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:24:24 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=louie)
2012-07-25 07:26:34 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:26:34 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=archie)
2012-07-25 07:28:44 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:28:44 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=bradley)
2012-07-25 07:30:54 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 07:30:54 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=gabriel)

Not that i can't write a perl script checking the logs for it, but an
inbuild solution would be great.

Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On 07/25/2012 11:36 AM, Cyborg wrote:
> Not that i can't write a perl script checking the logs for it, but an
> inbuild solution would be great.

I dont know if fail2ban is an alternative but you could check it also.

--
RMA.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
> Not that i can't write a perl script checking the logs for it, but an

Fail2ban ?

Chris


Knowledge I.T.
'Unifying Business Technology'
www.knowledgeit.co.uk

Knowledge Limited, Company Registration: 1554385
Registered Office: New Century House, Crowther Road, Washington, Tyne & Wear. NE38 0AQ
Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR

Tel: 0845 142 0020. Fax: 0845 142 0021

E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system.

Please consider the environment before printing this email.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On 07/25/2012 11:36 AM, Cyborg wrote:

> Not that i can't write a perl script checking the logs for it, but an
> inbuild solution would be great.

An inbuild solution would, anyway, trigger Exim and at least at the very
beginning of your experimentation, you'll have to log your rejects.

You'll then have a huge log anyway.

Depending on your choice:
- filter at IP level
- filter at application level
you'll have (I guess) several solution.

If me, I'd filter at IP level, based on some reject log information.
That's the job of fail2ban, but I dont know if it parses Exim logs.

--
RMA.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On 25 Jul 2012, at 10:36 AM, Cyborg wrote:

> Not that i can't write a perl script checking the logs for it, but an inbuild solution would be great.

Use a rate limiting acl, there is several examples floating on this list.

- Andrew

--
www.baruwa.org




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
Il giorno mer, 25/07/2012 alle 11.44 +0300, Mihamina Rakotomandimby ha
scritto:
> If me, I'd filter at IP level, based on some reject log information.
> That's the job of fail2ban, but I dont know if it parses Exim logs.


I'm using this regex in fail2ban with success:

failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address|
535 Incorrect authentication data)



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On Wed, 25 Jul 2012, Chris Russell wrote:

> From: Chris Russell <Chris.Russell@knowledgeit.co.uk>
> To: "exim-users@exim.org" <exim-users@exim.org>
> Date: Wed, 25 Jul 2012 09:40:55
> Subject: Re: [exim] Stopping Bruteforceattacks
>
> > Not that i can't write a perl script checking the logs for it,
> > but an
>
> Fail2ban ?


That should do the job. Also see:

http://www.sshguard.net/

Originally started as a monitor to protect ssh against brute force
attacks. It'll now protect a variety of services against brute force
attacks, including exim.

So far I've only used it to protect ssh.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@bath.ac.uk Phone: +44 1225 386101

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On Wednesday, July 25, 2012 04:44:32, Mihamina Rakotomandimby wrote:
> On 07/25/2012 11:36 AM, Cyborg wrote:
> > Not that i can't write a perl script checking the logs for it, but an
> > inbuild solution would be great.
>
> An inbuild solution would, anyway, trigger Exim and at least at the very
> beginning of your experimentation, you'll have to log your rejects.
>
> You'll then have a huge log anyway.
>
> Depending on your choice:
> - filter at IP level
> - filter at application level
> you'll have (I guess) several solution.
>
> If me, I'd filter at IP level, based on some reject log information.
> That's the job of fail2ban, but I dont know if it parses Exim logs.

By default fail2ban doesn't scan Exim logs, but what logs are scanned is
customizable; for instance something like the following added to fail2ban's
jail.conf:

-----------------------

#
# Exim4 email MTA
#

[exim4]

enabled = true
port = smtp
filter = exim4
logpath = /var/log/exim4/mainlog
bantime = 28800
maxretry = 3

-----------------------

and the filter file goes in /filter.d. It's fairly admin-friendly, IMHO.

What I don't understand about this particular situation is that the IP address
of the attacker is in the RFC 1918 private IP address range (192.168.x.x)
which would make it seem like the attacker is on the local LAN (or via VPN).
That seems like in addition to adding fail2ban, you'd want to find the
offending box and take it offline for antivirus scanning (if possible) because
the "attacker" is probably malware.

Good luck tracking it down.

-- Chris

--
Chris Knadle
Chris.Knadle@coredump.us

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On 7/25/12, Chris Knadle <Chris.Knadle@coredump.us> wrote:
> What I don't understand about this particular situation is that the IP
> address of the attacker is in the RFC 1918 private IP address range (192.168.x.x)
> which would make it seem like the attacker is on the local LAN (or via VPN).

Looking at my own logs with such attacks, the value in the bracket
appears to be just the name/address provided by the attacker during
HELO.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On Wed, 25 Jul 2012, Chris Knadle wrote:

> What I don't understand about this particular situation is that the IP address
> of the attacker is in the RFC 1918 private IP address range (192.168.x.x)
> which would make it seem like the attacker is on the local LAN (or via VPN).

>> 2012-07-25 07:09:11 no IP address found for host static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from [216.214.153.238])
>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)

Maybe I'm misreading the logs, but isn't 192.168.0.232
the HELO/EHLO address ?
In which case the rogue machine is on a private network belonging
to a broadviewnet customer and somewhere behind 216.214.153.238 ?

> That seems like in addition to adding fail2ban, you'd want to find the
> offending box and take it offline for antivirus scanning (if possible) because
> the "attacker" is probably malware.
>
> Good luck tracking it down.

--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@dpmms.cam.ac.uk http://www.dpmms.cam.ac.uk/~werdna

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
Am 25.07.2012 13:05, schrieb Dr Andrew C Aitchison:
>
>>> 2012-07-25 07:09:11 no IP address found for host
>>> static-216-214-153-238.isp.broadviewnet.net (during SMTP connection
>>> from [216.214.153.238])
>>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
>>> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
>
> Maybe I'm misreading the logs, but isn't 192.168.0.232
> the HELO/EHLO address ? In which case the rogue machine is on a
> private network belonging
> to a broadviewnet customer and somewhere behind 216.214.153.238 ?
>

it is.

Which ACL is controlling the message : "535 Incorrect authentication
data" *?*

it should be possible to add this to the ACL :

condition = ${run{ ...../tools/addspammer
$sender_host_address}{yes}{$value}}

Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
> From: Cyborg <cyborg2@benderirc.de>

> does anyone have a working solution for this :

> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)

http://www.mail-archive.com/exim-users@exim.org/msg41893.html
or the same message:
https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
Am 25.07.2012 16:33, schrieb Lena@lena.kiev.ua:
> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
> http://www.mail-archive.com/exim-users@exim.org/msg41893.html
> or the same message:
> https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html
>

acl_check_auth:
drop message = authentication is allowed only once per message in order \
to slow down bruteforce cracking
set acl_m_auth = ${eval10:0$acl_m_auth+1}
condition = ${if >{$acl_m_auth}{2}}
delay = 22s

drop message = blacklisted for bruteforce cracking attempt
set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
condition = ${if >{$acl_c_authnomail}{4}}
continue = ${run{SHELL -c "echo $sender_host_address \
>>$spool_directory/blocked_IPs; \
\N{\N echo Subject: $sender_host_address blocked; echo; echo \
for bruteforce auth cracking attempt.; \
\N}\N | EXIMBINARY WARNTO"}}

...


It looks like the answere, thanks.

If i understood it correctly, this will create a file for each blocked
ip and check later if it exists.


Just for the record, if you send the ip to your firewall, you won't need
to check for the files later.
Each check generates unnecessary IO, hopefully in the cache, but it must
not be cached already.

If it's firewalled, the spammer can't dos the system with requests from
already blocked ip's .

If the production system has a thousand and more accouts/domains on it,
the io part will be become
vital . The server of my last employer was rated up to 500.000 mails a
day by spamcop and trust me,
you do not want to check those blocked ips with a file.exists() call :)


Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On Wednesday, July 25, 2012 at 15:08:00 UTC, cyborg2@benderirc.de confabulated:

> Am 25.07.2012 16:33, schrieb Lena@lena.kiev.ua:
>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
>> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
>> http://www.mail-archive.com/exim-users@exim.org/msg41893.html
>> or the same message:
>> https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html
>>

> acl_check_auth:
> drop message = authentication is allowed only once per message in order \
> to slow down bruteforce cracking
> set acl_m_auth = ${eval10:0$acl_m_auth+1}
> condition = ${if >{$acl_m_auth}{2}}
> delay = 22s

> drop message = blacklisted for bruteforce cracking attempt
> set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
> condition = ${if >{$acl_c_authnomail}{4}}
> continue = ${run{SHELL -c "echo $sender_host_address \
> >>$spool_directory/blocked_IPs; \
> \N{\N echo Subject: $sender_host_address blocked; echo; echo \
> for bruteforce auth cracking attempt.; \
> \N}\N | EXIMBINARY WARNTO"}}

> ...


> It looks like the answere, thanks.

> If i understood it correctly, this will create a file for each blocked
> ip and check later if it exists.

Incorrect. Only one file is used. Notice the double '>>'. Each IP is
written to 'blocked_IPs'. I lookup is done somewhere else (I use the
connect ACL).

> Just for the record, if you send the ip to your firewall, you won't need
> to check for the files later.
> Each check generates unnecessary IO, hopefully in the cache, but it must
> not be cached already.

> If it's firewalled, the spammer can't dos the system with requests from
> already blocked ip's .

> If the production system has a thousand and more accouts/domains on it,
> the io part will be become
> vital . The server of my last employer was rated up to 500.000 mails a
> day by spamcop and trust me,
> you do not want to check those blocked ips with a file.exists() call :)


> Marius

--
If at first you don't succeed...
...so much for skydiving.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
Am 25.07.2012 17:08, schrieb Cyborg:
> Am 25.07.2012 16:33, schrieb Lena@lena.kiev.ua:
>> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
>> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)
>> http://www.mail-archive.com/exim-users@exim.org/msg41893.html
>> or the same message:
>> https://lists.exim.org/lurker/message/20120709.132921.ccaf55b3.en.html
>>
>
> acl_check_auth:
> drop message = authentication is allowed only once per message in
> order \
> to slow down bruteforce cracking
> set acl_m_auth = ${eval10:0$acl_m_auth+1}
> condition = ${if >{$acl_m_auth}{2}}
> delay = 22s

Is there any variable, which holds the "username" of the AUTH command IF
the auth fails ?


2012-07-25 17:29:54 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 17:29:54 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:29:54 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=toby)
2012-07-25 17:32:04 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 17:32:04 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:32:04 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=tyler)
2012-07-25 17:34:14 no IP address found for host
static-216-214-153-238.isp.broadviewnet.net (during SMTP connection from
[216.214.153.238])
2012-07-25 17:34:15 H=([192.168.0.232]) [216.214.153.238] Warning: send for
2012-07-25 17:34:15 plain authenticator failed for ([192.168.0.232])
[216.214.153.238]: 535 Incorrect authentication data (set_id=sebastian)
2012-07-25 17:35:00 no host name found for IP address 27.41.155.167

That Windows PC ( with telnet and VPN service :D ) btw. does not raise
a ratelimit, as it only connects once and has a 120 seconds timer.

Exim logs "set_id=sebastian" and i need that name to make a compare to
the database to check if its even possible it's not a bruteforcer.

My thoughts are, brute forcer try a list of given names and passwords,
but do not start with the correct name.
Why not, because if the have the name, they also got the password from
the used trojan horse.
That will not be true always, but in most cases it will be a valid
assumption, don't you agree ?

btw. our unfriendly windows server (s.a.) is now blocked the old fashion
way :)




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
Am 25.07.2012 17:25, schrieb Duane Hill:
>> If i understood it correctly, this will create a file for each blocked
>> ip and check later if it exists.
> Incorrect. Only one file is used. Notice the double '>>'. Each IP is
> written to 'blocked_IPs'. I lookup is done somewhere else (I use the
> connect ACL).
>

acl_check_connect:
drop message = $sender_host_address locally blacklisted for a bruteforce \
auth (login+password) cracking attempt
condition = ${if exists{$spool_directory/blocked_IPs}}
condition = ${lookup{$sender_host_address}lsearch\
{$spool_directory/blocked_IPs}{1}{0}}


IMHO, that's even worse IO wise :(

Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On Wednesday, July 25, 2012 07:05:04, Dr Andrew C Aitchison wrote:
> On Wed, 25 Jul 2012, Chris Knadle wrote:
> > What I don't understand about this particular situation is that the IP
> > address of the attacker is in the RFC 1918 private IP address range
> > (192.168.x.x) which would make it seem like the attacker is on the local
> > LAN (or via VPN).
> >
> >> 2012-07-25 07:09:11 no IP address found for host
> >> static-216-214-153-238.isp.broadviewnet.net (during SMTP connection
> >> from [216.214.153.238]) 2012-07-25 07:09:11 plain authenticator failed
> >> for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication
> >> data (set_id=aidan)
>
> Maybe I'm misreading the logs, but isn't 192.168.0.232
> the HELO/EHLO address ?

No, you're right -- I misread this to begin with because I missed the []
inside of the () and also made the mistake of not reading the next line due to
the word wrap. [.I'm so used to reading "long line" Exim4 logs that
unconsciously these seemed to be out-of-place. Ugh.]

> In which case the rogue machine is on a private network belonging
> to a broadviewnet customer and somewhere behind 216.214.153.238 ?

AFAIK the 216.214.153.238 is an internet-routable (i.e. public) address.

-- Chris

--
Chris Knadle
Chris.Knadle@coredump.us

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On 25/07/2012 07:33, Lena@lena.kiev.ua wrote:
> From: Cyborg <cyborg2@benderirc.de>
>
> does anyone have a working solution for this :
>
> 2012-07-25 07:09:11 plain authenticator failed for ([192.168.0.232])
> [216.214.153.238]: 535 Incorrect authentication data (set_id=aidan)

I use ConfigServer Security & Firewall (CSF). Very simple to set up and
maintain. Low resource usage. http://configserver.com/cp/csf.html

Handles this type of attack well. I've noticed lately that some of the
same IPs that are trying brute force attacks on exim are also targeting
dovecot. CSF deals with these as well. When an IP is blocked, you can
set the options to receive a notification and the notification contains
IP and set-id.

Caveat: I run a very small mailserver (> 100 accounts> so not sure how
it scales.

--
Terry

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On 2012-07-25 at 17:46 +0200, Cyborg wrote:
> Is there any variable, which holds the "username" of the AUTH command IF
> the auth fails ?

No, but if there's a use-case, file a feature request and it can be
added.

Note that from the Exim config language point of view, the ACL runs
before the authentication, and then parsing the auth request is a
per-auth-driver issue (and fundamentally has to be, as part of SASL).

Technically we _might_ be able to do something like have an
authenticator be able to associate one or two ACLs with it, one to be
run on success, one to be run on failure, named something like
on_success, on_failure.

At present, you could hack that up for the auth succeeded case, using
the server_set_id case and the ACL expansion logic in git head (and will
be part of the next release).

plain:
driver = plaintext
...
server_on_success = expanded string
server_on_failure = expanded string

and then use the new ACL tests in those, leaving the parsed authnid and
authzid available in $auth1/$auth2, temporarily even for
server_on_failure. Discard the results. At present, just replace
"server_on_success" with "server_set_id" and make sure the final result
is the identifier for the user.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
am 25.07.2012 12:30 schrieb Chris Knadle:
> On Wednesday, July 25, 2012 04:44:32, Mihamina Rakotomandimby wrote:
>> If me, I'd filter at IP level, based on some reject log information.
>> That's the job of fail2ban, but I dont know if it parses Exim logs.
>
> By default fail2ban doesn't scan Exim logs, but what logs are scanned is
> customizable; for instance something like the following added to fail2ban's
> jail.conf:
>
> -----------------------
>
> #
> # Exim4 email MTA
> #
>
> [exim4]
>
> enabled = true
> port = smtp
> filter = exim4
> logpath = /var/log/exim4/mainlog
> bantime = 28800
> maxretry = 3

I'm using daily mainlogs á la "mainlog-20120726". What would be an
elegant way to configure fail2ban in this case?

Gruß Peter

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
Am 26.07.2012 13:51, schrieb Peter Velan:
> am = 3
> I'm using daily mainlogs á la "mainlog-20120726". What would be an
> elegant way to configure fail2ban in this case?
>
> Gruß Peter
>

the actual main.log is alrways the same, so just stick with
/var/log/exim/main.log

marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
am 26.07.2012 13:57 schrieb Cyborg:
>
> Am 26.07.2012 13:51, schrieb Peter Velan:
>> am = 3
>> I'm using daily mainlogs á la "mainlog-20120726". What would be an
>> elegant way to configure fail2ban in this case?
>>
>> Gruß Peter
>>
>
> the actual main.log is alrways the same, so just stick with
> /var/log/exim/main.log

Definitely no, there's no "exim/main.log" or "exim/mainlog" here.

(I'm afraid this is a Debian specific thing)

Peter


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
On Thursday, July 26, 2012 07:51:39, Peter Velan wrote:
> am 25.07.2012 12:30 schrieb Chris Knadle:
> > On Wednesday, July 25, 2012 04:44:32, Mihamina Rakotomandimby wrote:
> >> If me, I'd filter at IP level, based on some reject log information.
> >> That's the job of fail2ban, but I dont know if it parses Exim logs.
> >
> > By default fail2ban doesn't scan Exim logs, but what logs are scanned is
> > customizable; for instance something like the following added to
> > fail2ban's jail.conf:
> >
> > -----------------------
> >
> > #
> > # Exim4 email MTA
> > #
> >
> > [exim4]
> >
> > enabled = true
> > port = smtp
> > filter = exim4
> > logpath = /var/log/exim4/mainlog
> > bantime = 28800
> > maxretry = 3
>
> I'm using daily mainlogs á la "mainlog-20120726". What would be an
> elegant way to configure fail2ban in this case?

For this I'd probably have logrotate remake a softlink from the daily mainlog
file to a standard filename that fail2ban can search through. This might
require using a postrotate/endscript.

-- Chris

--
Chris Knadle
Chris.Knadle@coredump.us

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Stopping Bruteforceattacks [ In reply to ]
am 26.07.2012 17:14 schrieb Chris Knadle:
> On Thursday, July 26, 2012 07:51:39, Peter Velan wrote:
>> am 25.07.2012 12:30 schrieb Chris Knadle:
>> > On Wednesday, July 25, 2012 04:44:32, Mihamina Rakotomandimby wrote:
>> >> If me, I'd filter at IP level, based on some reject log information.
>> >> That's the job of fail2ban, but I dont know if it parses Exim logs.
>> >
>> > By default fail2ban doesn't scan Exim logs, but what logs are scanned is
>> > customizable; for instance something like the following added to
>> > fail2ban's jail.conf:
>> >
>> > -----------------------
>> >
>> > #
>> > # Exim4 email MTA
>> > #
>> >
>> > [exim4]
>> >
>> > enabled = true
>> > port = smtp
>> > filter = exim4
>> > logpath = /var/log/exim4/mainlog
>> > bantime = 28800
>> > maxretry = 3
>>
>> I'm using daily mainlogs á la "mainlog-20120726". What would be an
>> elegant way to configure fail2ban in this case?
>
> For this I'd probably have logrotate remake a softlink from the daily mainlog
> file to a standard filename that fail2ban can search through. This might
> require using a postrotate/endscript.

Aah good idea, will try it this way.

Thanks,
Peter

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/