Looking For Beginner/Mediocre Help

Jason Hellenthal jhellenthal at dataix.net
Mon Jan 20 22:17:37 UTC 2014 

Since this is SMTP and not a service like http you might be able to benefit from throttling and then shoving into a blacklist that expires the entries after a certain period of time after they run a threshold. This is a pf example rule that would do that but still requires a table and the pf expiration program expiretable.

I use this method for ssh connections but should work fine for 25, 587 or otherwise.

pass in quick inet proto tcp from any port >1023 to any port = 22 keep state \
(max-src-conn 5, max-src-states 10, max-src-nodes 5, max-src-conn-rate 5/300 overload <blacklist> flush global)

-- 
 Jason Hellenthal
 Voice: 95.30.17.6/616
 JJH48-ARIN

> On Jan 20, 2014, at 16:59, "William A. Fink" <bill at billfink.com> wrote:
> 
> I hope I'm not double-posting, posting in a list I'm not supposed to, but it
> seems (to me, anyway) a great place to start. Seems it never fails, someone
> comes back and complains, this is the wrong list. (No matter which list I've
> posted to in the past.)
> 
> I've these log entries each and every single day in my security logs:
> (needless to say, there are quite a few variations they attempt to use for
> username, seems it's getting worse every day.) I've ALL of China/Korea
> blocked, might I add. There's a guy who posts the CIDR addresses for/from
> China that's ALL in my black-hole routing table. I recognize that can only
> go so far, but it did indeed help for a good while.
> 
> Any other solution(?) that anyone could help me with here? I'm simply
> looking for a simple way to stop these and/or determine where they're coming
> from. (No other log shows where they originate from.)
> 
> I'm not even certain if I'm USING SASLAUTHD, so is there a way I can
> determine where these scripts are coming from so I can easily add their IP
> to the black-hole route?
> 
> Thanks SO much in advance, and if I posted in the wrong place, please accept
> my sincerest apologies - even a one liner where to start to figure out where
> these are originating from would be a great help!
> 
> Jan 12 00:02:27 rmx saslauthd[978]: do_auth         : auth failure:
> [user=ups] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 00:16:00 rmx saslauthd[980]: do_auth         : auth failure:
> [user=ups] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 00:29:36 rmx saslauthd[981]: do_auth         : auth failure:
> [user=fedex] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 00:35:03 rmx saslauthd[966]: do_auth         : auth failure:
> [user=student] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 00:43:07 rmx saslauthd[979]: do_auth         : auth failure:
> [user=fedex] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 00:56:47 rmx saslauthd[978]: do_auth         : auth failure:
> [user=phone] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 01:10:23 rmx saslauthd[980]: do_auth         : auth failure:
> [user=phone] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 01:24:04 rmx saslauthd[981]: do_auth         : auth failure:
> [user=noreply] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 01:24:56 rmx saslauthd[966]: do_auth         : auth failure:
> [user=support] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 01:37:48 rmx saslauthd[979]: do_auth         : auth failure:
> [user=noreply] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> Jan 12 01:51:20 rmx saslauthd[978]: do_auth         : auth failure:
> [user=ttest] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
> 
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6118 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20140120/0f4d2a78/attachment.bin>

More information about the freebsd-hackers mailing list