Preventing Sendmail Brute Force Attack on Solaris 10

4

I want to dynamically block specific connections that use the same IP address based on a rate or connection limit. Is this possible using Solaris/IPF or some sendmail extension? I want to limit sendmail login attempts to prevent brute force attacks.

In Linux it's easily handled on the iptables firewall layer, but I haven't been able to figure out a way to use ipf to limit it on the firewall layer. Sendmail has a built-in rate limit and connection limit, but it appears to be applied to all users so if we're experiencing a DOS or DDOS it would block all our users instead of just the attacker.

Andrew Case

Posted 2011-05-14T22:49:51.250

Reputation: 176

when is sendmail ever not used in remote access mode? If i needed a local mail server, I would just purge Sendmail, and install Exim. – RapidWebs – 2014-07-02T17:11:05.283

Do you really require that sendmail not be run in local mode? Just allowing remote access to the daemon can be dangerous even with finite login attempts. Not to mention that now days even script kiddies can use a brute force attack with shifting ip's by piggy backing on other peoples botnets. – Blomkvist – 2011-05-14T23:49:12.453

Yes, it really needs to be accessible remotely. I understand the security implications, I just need to mitigate them. – Andrew Case – 2011-05-15T14:38:11.190

Answers

1

I solve this by adding another rule in syslog / rsyslog to pipe mail.* messages to a fifo in /etc/mail/mailban/syslog_fifo

I then made a daemon to read syslog_fifo, parse the sendmail messages, and act on what is found. The history of each ip address and activity is tracked through a 1.5 million(!) row mysql table. Offending ip addresses are added to a ban chain in iptables for various durations/ports depending on various criteria, and life goes on sweetly...

A simple cron task runs every hour and releases old ip addresses and updates the status in the database accordingly.

Now I made the software automatically compile and sanitize log records, find the responsible abuse address for the ip and then sends a report informing the ISP of unsociable behaviour. It works in about 5% of cases, and helps a little to clean up the net.

This also then requires a blacklist of delinquent ISPs that don't accept or ignore these type of complaints, and this evolves over time.

I also use another similar solution for ssh, pop3, httpd attacks.

I don't know of any other software that does this, but I could help you develop a solution although I'm most familiar with RedHat/Fedora.

Andy Lee Robinson

Posted 2011-05-14T22:49:51.250

Reputation: 908

Asked: 2011-05-14T22:49:51.250

Viewed: 550 times

Active: 2011-07-24T19:05:23.940