Ping a Specific Port

Question

Tobia

Asked: 2016-01-08 11:46:17 +0800 CST2016-01-08 11:46:17 +0800 CST 2016-01-08 11:46:17 +0800 CST

Exim server and blacklist for too much login attemps

772

This is the today exim reject log:

2016-01-07 13:48:44 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 15:32:09 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 15:41:35 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 15:49:01 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 15:56:50 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:04:58 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:12:28 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:20:19 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:28:08 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:35:50 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:43:28 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:51:18 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 16:58:51 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:06:25 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:13:58 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:21:29 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:28:52 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:36:18 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:43:43 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:51:46 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 17:59:08 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:06:44 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:14:10 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:21:39 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:29:02 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:36:36 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:44:00 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:51:21 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 18:58:40 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:05:59 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:13:18 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:20:42 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:28:03 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:35:48 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:43:11 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:50:35 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 19:57:59 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:05:25 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:12:51 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:20:17 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:27:41 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])
2016-01-07 20:35:06 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data ([email protected])

I don't want to wait and do nothing more, is it possibile to create a blacklist for exim populated with ip addresses of more then 10 login attemps in 1h?

Mind that I want to creare a blacklist for smtp login attemps and not for email senders.

1 Answers

Voted

BillThor · Answer 1 · 2016-01-08T18:47:12+08:00

Best Answer

BillThor

2016-01-08T18:47:12+08:002016-01-08T18:47:12+08:00

It looks like a poorly done hacking attempt. I've seen a few of them.

I would recommend using fail2ban to block the IP on multiple failures. You should verify the patterns as the default patterns don't always match. It handles multiple files and multiple services.

Exim does have the ability to ratelimit traffic. There are two versions and the newer version is designed to be used in ACLs. This will only slow down people trying to crack your password, but it may encourage them to try a different server. If you set the rate too low you may cause problems for legitimate users.

You could also limit auth to the Submission port. A line in the mail section like this should require both TLS encryption and the submission port before authentication is offered.

auth_advertise_hosts = ${if and 
                     {eq {$tls_cipher}{}{}{*}}
                     {eq {$interface_port}{587}} }

2

Exim server and blacklist for too much login attemps

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?