tag:blogger.com,1999:blog-8616610987649128333.post5356206971536293814..comments2024-03-07T18:07:32.939+01:00Comments on That grumpy BSD guy: A New Year, a New Round of pop3 Gropers from ChinaPeter N. M. Hansteenhttp://www.blogger.com/profile/12852746787621165833noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-8616610987649128333.post-72635369354409446832017-01-22T15:01:56.940+01:002017-01-22T15:01:56.940+01:00Peter,
First, thank you for the blog, the PF tuto...Peter,<br /><br />First, thank you for the blog, the PF tutorials, and The Book of PF. Your work has been most helpful.<br /><br />Second, I've noticed a different trend in the attacks on my email server.<br /><br />1. My attackers originate from Ukraine, Romania, and Belize, and not from China, based on IP adress/whois information.<br /><br />2. They attack the SMTP submission port, 587, and not POP3 or IMAP.<br /><br />3. I typically go days and days without an attack, then I get an attack lasting a few hours from a single IP address.<br /><br />After noticing this activity in my SMTP logs last year, I added a daily periodic job to find these authentication errors and add them to the email. These appear most obviously in the /var/log/maillog on my FreeBSD mail server. This has been useful in making me aware of the attacks and their relative infrequency.<br /><br />I presently run my firewall on an OpenBSD machine that acts as my network router. I am working on configuration to enable PF on the mail server itself. I then plan to use a syslog.conf entry to route the authentication failures through a script that will block these attackers in PF after so many auth failures.<br /><br />I already have a rule on my main firewall to block fast SSH attackers, but I don't worry about slow SSH attacks because I require key pair authentication. It always amuses me all of the log lines from these attacks that will never succeed.<br /><br />It looks like SMTP and IMAP are the last entry points to my systems that permit password authentication. I plan to add something like a bouncer to keep the bad guys out. With any luck, I'll even blog about it so others can learn from this experience and build on it.<br /><br />Cheers, and keep up the good work!Jason Stephensonhttps://www.blogger.com/profile/10445821536426911454noreply@blogger.com