1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • Stopping Login Attempts

    From NotReal@21:1/5 to All on Fri Jul 22 02:59:59 2022
    I recently had over 53,000 login attempts in a little over 3 hours from
    a single IP address on my sendmail mail server. There were some names
    that must have been obtained from email lists, but 99% were almost
    every name you could possibly think of. I am guessing they were
    probably looking for a way to gain access to relay spam, but regardless
    of the reason, I would like to figure out a way to limit or stop such
    attempts. As near as I can tell there is no way of configuring
    sendmail to limit logins to the LAN (whitelist), but I would rank my
    sendmail skills closer to novice than guru. As a result I thought I
    would risk ridicule and ask here to be sure before looking at solutions
    such as fail2ban.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to NotReal on Thu Jul 21 22:37:44 2022
    On 7/21/22 8:59 PM, NotReal wrote:
    I recently had over 53,000 login attempts in a little over 3 hours
    from a single IP address on my sendmail mail server. There were
    some names that must have been obtained from email lists, but 99%
    were almost every name you could possibly think of.

    Sounds like a credential stuffing attack. My understanding is that they
    are quite common and often perpetrated by compromised systems.

    I am guessing they were probably looking for a way to gain access
    to relay spam,

    Likely.

    but regardless of the reason, I would like to figure out a way to
    limit or stop such attempts.

    Fair.

    As near as I can tell there is no way of configuring sendmail to
    limit logins to the LAN (whitelist), but I would rank my sendmail
    skills closer to novice than guru.

    I can't think of a solution / feature / etc. that Sendmail provides to
    limit auth requests to specific locations.

    I would wonder if a firewall or re-configuration of what IP(s) and / or
    ports that Sendmail binds to might be a viable option. E.g. only allow
    SMTP Authentication on the Message Submission Agent port (587) and only
    allow trusted clients to connect to it via firewall.

    As a result I thought I would risk ridicule and ask here to be sure
    before looking at solutions such as fail2ban.

    I'm firmly of the opinion that legitimate questions deserve an equally legitimate answer.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrea Venturoli@21:1/5 to NotReal on Fri Jul 22 08:57:38 2022
    On 7/22/22 04:59, NotReal wrote:
    As a result I thought I would risk ridicule

    Not ridicule at all.



    and ask here to be sure

    AFAIK there's not such thing built into sendmail, but I'd be happy to be
    proven wrong.



    before looking at solutions such as fail2ban.

    Just my 2c...

    I'm using fail2ban and I'm fairly happy about it.
    Obviously it will block legitimate users who insist with the wrong
    password (especially some phones who don't offer any indication that authentication has failed and keep on trying :-[ ). This will be a
    problem if you mandate periodical password changes.

    I heard some praise crowdsec as a better fail2ban, but I haven't tried it.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Fri Jul 22 10:30:25 2022
    Am Freitag, 22. Juli 2022, um 02:59:59 Uhr schrieb NotReal:

    I recently had over 53,000 login attempts in a little over 3 hours
    from a single IP address on my sendmail mail server.

    You can set up a firewall (unrelated to sendmail) and just drop all
    traffic from this IP.

    Additionally, there is the access db with the Connect: statement. Maybe
    try out this.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Giovanni@21:1/5 to NotReal on Fri Jul 22 10:54:28 2022
    On 7/22/22 04:59, NotReal wrote:

    I recently had over 53,000 login attempts in a little over 3 hours
    from a single IP address on my sendmail mail server.

    I had a similar problem in a server from the university. and at my
    home. I used the old protection system, the tcp wrappers, opening
    access only to lan users. At home I opened access only to the server IP
    to receive maintenance activity notifications.

    Ciao
    Giovanni
    --
    A computer is like an air conditioner,
    it stops working when you open Windows.
    < http://giovanni.homelinux.net/ >

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to NotReal on Fri Jul 22 06:20:28 2022
    NotReal wrote:

    As near as I can tell there is no way of configuring
    sendmail to limit logins to the LAN (whitelist), but I would rank my

    doc/op/op.*
    5.1.4.17. srv_features

    The srv_features ruleset is called with the
    connecting client's host name when a client con-
    nects to sendmail. This ruleset should return
    $# followed by a list of options (single charac-
    ters delimited by white space).
    ...
    A Do not offer AUTH

    cf/README:

    About 2): the rulesets try_tls, srv_features, and clt_features can
    be used together with the access map. Entries for the access map
    must be tagged with Try_TLS, Srv_Features, Clt_Features and refer
    to the hostname or IP address of the connecting system (the latter
    is not available for clt_features). A default case can be specified
    by using just the tag.

    Srv_Features:my.domain v
    Srv_Features: V


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Henning Hucke@21:1/5 to NotReal on Fri Jul 22 09:43:59 2022
    NotReal <NotReal@nospam.com> wrote:

    Hi stranger.

    [...]
    [...], but regardless
    of the reason, I would like to figure out a way to limit or stop such attempts. As near as I can tell there is no way of configuring
    sendmail to limit logins to the LAN (whitelist), [...]

    There is no such thing as "login" with SMTP connections but only
    authenticated usage of SMTP so there is also no rate limiting specific
    to "logins"!

    Look for the "ratecontrol" and "conncontrol" features for the
    sendmail m4 config generation system and you'll find what sendmail
    offers to you to handle a situation like the one you described.

    Be aware that "ratecontrol" specifies how often connections can be
    established to a sendmail instance and "conncontrol" specifies how many *concurrent* connections are allowed.
    The difference is, that one might allow a rate of just one connection
    per minute but an attacker can harm the instance by just keeping
    connections open as long as possible. And the later is controlled by
    specifying values for exactly this case.

    [...]

    Best regards,
    Henning
    --
    In theory there is no difference between theory and practise.
    In practise there is.
    Yogi Beer

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From NotReal@21:1/5 to NotReal on Sat Jul 23 13:04:40 2022
    NotReal wrote:

    I recently had over 53,000 login attempts in a little over 3 hours
    from a single IP address on my sendmail mail server. There were some
    names that must have been obtained from email lists, but 99% were
    almost every name you could possibly think of. I am guessing they
    were probably looking for a way to gain access to relay spam, but
    regardless of the reason, I would like to figure out a way to limit
    or stop such attempts. As near as I can tell there is no way of configuring sendmail to limit logins to the LAN (whitelist), but I
    would rank my sendmail skills closer to novice than guru. As a
    result I thought I would risk ridicule and ask here to be sure before
    looking at solutions such as fail2ban.

    Thanks to all who replied and I have read your comments and
    suggestions.

    I did block that particular IP address at the firewall but I suspect it
    is a case of closing the barn door after the horse has gone. The next
    time any similar attack occurs, it will probably come from a new IP
    address.

    I like the suggestion to limit authentication only on port 587 as I
    suspect most users are currently using port 587 when authenticating to
    receive mail. It will definitely take some reading on my part though
    as there are some unknowns about how that would work when sending mail,
    but it seems like a worthwhile approach.

    I have never heard of crowdsec but I will look into that as well. I
    currently use fail2ban on a decoy SSH server feeding blocklist.de so I
    am familiar with how to set that up, but perhaps crowdsec has some
    features that are not available in fail2ban and tcpwrappers that were
    also suggested.

    As for Henning and Mr. Sendmail, Claus, their suggestions will take
    some more study of sendmail to fully understand and appreciate, but I
    will endeavour to do that if only for the learning experience.

    Thanks again to all.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ralph Spitzner@21:1/5 to Marco Moock on Sun Jul 24 22:04:40 2022
    Marco Moock wrote on 7/22/22 10:30 AM:
    Am Freitag, 22. Juli 2022, um 02:59:59 Uhr schrieb NotReal:

    I recently had over 53,000 login attempts in a little over 3 hours
    from a single IP address on my sendmail mail server.

    You can set up a firewall (unrelated to sendmail) and just drop all
    traffic from this IP.

    just temporarily set a route
    ip route add blackhole <offending-ip>


    -rasp

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrzej Adam Filip@21:1/5 to Ralph Spitzner on Sun Jul 24 22:11:53 2022
    Ralph Spitzner <rasp@spitzner.org> wrote:
    Marco Moock wrote on 7/22/22 10:30 AM:
    Am Freitag, 22. Juli 2022, um 02:59:59 Uhr schrieb NotReal:

    I recently had over 53,000 login attempts in a little over 3 hours
    from a single IP address on my sendmail mail server.
    You can set up a firewall (unrelated to sendmail) and just drop all
    traffic from this IP.

    just temporarily set a route
    ip route add blackhole <offending-ip>

    The IP address may be inside a DUL range.

    --
    [Andrew] Andrzej A. Filip

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ralph Spitzner@21:1/5 to Andrzej Adam Filip on Mon Jul 25 11:46:57 2022
    Andrzej Adam Filip wrote on 7/24/22 10:11 PM:


    The IP address may be inside a DUL range.

    oh, sorry I see you apparently mean a 'Dialup user range', but anyway if so a "firewall" wouldn't help either and if he/she's
    trying to authenticate for a relay there will be a forward/reverse mismatch on that host, so it just produces some 'dust' in the logfile...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ralph Spitzner@21:1/5 to Andrzej Adam Filip on Mon Jul 25 11:41:26 2022
    Andrzej Adam Filip wrote on 7/24/22 10:11 PM:


    The IP address may be inside a DUL range.


    if by DUL you mean something like a NAT/DMZ there will still be some public ip, otherwise they couldn't get there....

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Mon Jul 25 13:46:34 2022
    Am Montag, 25. Juli 2022, um 11:46:57 Uhr schrieb Ralph Spitzner:

    oh, sorry I see you apparently mean a 'Dialup user range', but anyway
    if so a "firewall" wouldn't help either and if he/she's trying to authenticate for a relay there will be a forward/reverse mismatch on
    that host, so it just produces some 'dust' in the logfile...

    If so, tell the ISP the address is assigned to. They will most likely
    tell that the customer. If the customer isn't willing to stop attacking
    other computers they might switch off his connection.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From J.O. Aho@21:1/5 to NotReal on Mon Jul 25 17:07:12 2022
    On 22/07/2022 04.59, NotReal wrote:
    I recently had over 53,000 login attempts in a little over 3 hours from
    a single IP address on my sendmail mail server.
    I would like to figure out a way to limit or stop such
    attempts

    In my experience, still feeling as a novice after using sendmail for 24
    years, I have never seen anything that would limit authentication
    attempts, the best tool I have seen is fail2ban, I do use it myself
    against failed authentications, I tend to have issue with the same
    username (seems to be a random generated one) is used to try to
    authenticate, but only one attempt per day from an IP. Most of the authentications seems to try to utilize a somewhat "recent" bug in
    sendmail which has been patched.

    I would not spend time to wait, just go with fail2ban and could be good
    to have it monitor your ssh too, I do run mine on a port normally not
    used, but still I get my share of Chinese and Russians trying to gain
    access.

    --

    //Aho

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)