[BlueOnyx:12546] Sendmail AUTH attacks
Eric Peabody
admin at bnserve.com
Fri Mar 15 11:04:18 -05 2013
We recently have seen a significant increase in password guessing
attacks using sendmail AUTH. Pam_abl blocks the user account but not
the host so the attacker switches to a different user for a while and
the attack continues. Messages like these are found in /var/log/secure:
Blocking access from (null) to service smtp, user support
The problem is the "(null)". I assume that with saslauthd running the
password check, and since saslauthd doesn't have IP address information,
the result is unavoidable.
As a result, we have added fail2ban. Much more complicated to configure
and manage but it provides much better protection. I've added a number
of filters, such as protecting against excessive login attempts for
Wordpress sites. Since pam is not used by such applications, pam_abl
doesn't offer any protection while fail2ban can.
Another valuable feature with fail2ban is the ability to block repeat
offenders for long periods. This lets a casual mistake be "forgiven"
while jailing a determined attacker. Pam_abl doesn't seem to have this
capability.
Also, the current user interface for pam_abl settings is rather limited.
The shortest purge is 1 hour and that causes difficulty for customers
who never want to wait that long. If they are blocked, they make a
service call and we manually remove the block.
Anyone have a different solution?
--
Eric Peabody
admin at bnserve.com
More information about the Blueonyx
mailing list