Hi Andreas, Here is an exim config from one of my /etc/fail2ban/jail.conf server files on CentOS 5.6: # GLD - This jail blocks exim authenticated SMTP dictionary attacks - bad username/password [exim-authentication] enabled=true filter = exim-authentication action = iptables-multiport[name=exim-authentication, port="25,587,2525", protocol=tcp] logpath = /var/log/exim/main.log maxretry = 20 findtime = 300 bantime = 900 You had maxretry = 1 in your dovecot config which I think is too low since you will have legitimate users having to retry from time to time. Here is a dovecot config from one of my etc/fail2ban/jail.conf server files with more realistic values: # GLD - This jail blocks dovecot IMAP/POP dictionary attacks [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/maillog maxretry = 20 findtime = 300 bantime = 900 Of course, you should make these values whatever you think is best for your needs. However, I would not make them so restrictive that they would adversely impact your legitimate email users. The only other thing regarding ratelimiting that I would recommend is to use iptables to ratelimit ports 20, 21 and 22 (ssh and ftp) to defend against dictionary attacks there. I ratelimit ssh and ftp to 4 attempts for every 2 minutes. something like this (from iptables-save) prior to the ACCEPT statements for ssh and ftp: -A GLD-FIrewall-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --name DEFAULT --rsource -j DROP -A GLD-FIrewall-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource -A GLD-FIrewall-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --name DEFAULT --rsource -j DROP -A GLD-FIrewall-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent --set --name DEFAULT --rsource -A GLD-FIrewall-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -m recent --update --seconds 120 --hitcount 4 --name DEFAULT --rsource -j DROP -A GLD-FIrewall-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -m recent --set --name DEFAULT --rsource Good luck, Gordon On 06/16/2011 01:07 PM, Andreas Westvik wrote:
Thank you very much for your reply!
I did cat mainlog.1 | grep A=fixed and got many hits with my own username. (The same username that got the error mails) So I just changed my password on that account. And I have fail2ban, but I only have a section for dovecot. I cant seem to find any one for exim4 ??
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root(a)domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc logpath = /var/log/syslog maxretry = 1 findtime = 1200 bantime = 1200
And I have just tweaked some ratelimiting options in exim4.conf Are any other ratelimiting programs that can be used in Debian? In the exim4u_relay_from_hosts only mentions 127.0.0.1
-Andreas
Den 16. juni 2011 kl. 18.25 skrev Gordon Dickens:
Hi Andreas,
You need to check your exim logs to see how these emails are arriving on your server.
Exim4U's stock configuration is NOT an open relay and so, unless you have modified Exim4U's configuration, then the spam emails are most probably arriving as having been generated by authenticated user logins. Unfortunately, this hack is quite common since spammers routinely conduct dictionary attacks on SMTP and IMAP ports to obtain valid user authentication credentials. On most servers, the SMTP and IMAP authentication credentials typically use the same username/password for a given user. When successful, these dictionary attacks will yield user credentials that can subsequently be used for spamming from your server whereby the spammer masquerades as a valid authenticating user.
Look at your logs. For authenticated mail, the originating log entry should look like this:
2011-05-11 22:10:44 1QKLMS-0000lx-Gp<= valid_user(a)domain.com H=(k12-46eb5b203aa) [50.8.80.139] P=esmtpa A=fixed_login:valid_user(a)domain.com S=1340 id=CHILKAT-MID-b8da5a7e-6034-b3f6-7b3a-df92b3486c1b(a)k12-46eb5b203aa T="Spammer's Subject Title"
Note the "A=fixed_login:" in the above log entry denoting a valid authenticated user. In the above example, valid_user(a)domain.com will be a valid user on your mail server. Once you establish whose login credientials have been compromised then you should change those user's passwords and your problem will be solved.
The best way to defend against dictionary attacks is to use fail2ban or similar software for ratelimiting SMTP and IMAP authentication failures. I have used fail2ban for quite a while and it is a very reliable product that does the job well. So, when dictionary attacks do occur, you can limit the number of attempted logins to a reasonably small number that typically will not yield any results for the spammer.
If, on the other hand, your logs indicate that the mail is being relayed then someone has most probably modified the stock Exim4U configuration file and you need to reverse those modifications. Also, review the contents of the exim4u_relay_from_hosts file to make sure that you are not allowing the relays via that file.
FYI,
Gordon
On 06/16/2011 08:53 AM, Andreas Westvik wrote:
So Im having a smtp problem. Someone is trying to use my server as a relay for spam mail. Now, my host is blocking port 25 for outgoing mail, so its really not working. But I want to stop SMTP in exim4. But Im not sure how to do this with exim4u.
Here is a forum thread I made in the debian forums. http://forums.debian.net/viewtopic.php?f=5&t=65526&p=376626#p376626
Anyone know how to do this?
-Andreas _______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users