block on first attempt if target account doesn't exist

Post Reply
curriertech
Junior Member
Posts: 21
Joined: 07 Aug 2007, 20:29

block on first attempt if target account doesn't exist

Post by curriertech »

I periodically get hammered by distributed attacks, usually against FTP and SMTP, where the bulk of the attempts are using accounts that don't exist on my server. It would be helpful, primarily to control resource consumption, to have an option to block these attempts on the first try while these distributed attacks are happening, without affecting the default settings for valid accounts.
Seventh
Junior Member
Posts: 4
Joined: 20 Dec 2012, 00:57

Re: block on first attempt if target account doesn't exist

Post by Seventh »

I'd also like to see something like this implemented. Great idea.
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: block on first attempt if target account doesn't exist

Post by Sergio »

CSF is already configured for this using REGEX.CUSTOM.PM, a great tool that left anyone to create custom rules to block any type of attacks at once, read about it on the readme file.

See some rules on the sticky viewtopic.php?f=6&t=7517
I will be adding more from time to time or if someone else contribute to the sticky.

Sergio
curriertech
Junior Member
Posts: 21
Joined: 07 Aug 2007, 20:29

Re: block on first attempt if target account doesn't exist

Post by curriertech »

Thanks Sergio - the only issue with this approach is that the whole thing is dependent on me maintaining a list of ids that don't exist. These bots are reasonably 'creative' with the ids they use so the list will require frequent maintenance to remain effective.
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: block on first attempt if target account doesn't exist

Post by Sergio »

@curriertech,
I don't think so, you can construct your rule using the error message not the IPs.

Please show us a list of a couple error lines and I will tell you what you can do.

Sergio
curriertech
Junior Member
Posts: 21
Joined: 07 Aug 2007, 20:29

Re: block on first attempt if target account doesn't exist

Post by curriertech »

Here's an example -

2014-02-24 09:14:02 dovecot_plain authenticator failed for (BSHUNG) [113.184.191.234]:18072: 535 Incorrect authentication data (set_id=admin@nestreetriders.com)

set_id is almost always something that doesn't exist as an account on the server.
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: block on first attempt if target account doesn't exist

Post by Sergio »

I had already created a rule for this, I added to the sticky now.

Sergio
curriertech
Junior Member
Posts: 21
Joined: 07 Aug 2007, 20:29

Re: block on first attempt if target account doesn't exist

Post by curriertech »

Thanks. The further we get into this, the more I realize that what I want to do probably isn't possible since there's nothing in the log that indicates whether or not the account actually exists. The new rule in the sticky would still only match set_id=admin@, but that wouldn't stop set_id=dell_pc. The other rule is closer but requires manual addition of the set_id values that should be blocked.

Is it possible to have these custom rules use values that are specified in a file? That would certainly allow for some simple automation of adding the set_id values.
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: block on first attempt if target account doesn't exist

Post by Sergio »

curriertech,
you can make your own rule and set it accordingly, your first requirement was to block any IP that wanted to access any of your domains with the account "admin@anydomain.com", so, the rule that I posted does that. I even use that rule in my servers and has blocked a lot of attempts.

Unfortunately, there is no way to have a file where to add values and you don't need it as you can create a rule that blocks any IP with a bad "set_id" unfortunately that will block some of your customers that has a bad email configuration.
Post Reply