CSF/LFD: allowing only 1 or few countries access to SMTPAUTH ?

[BBM]

Need a little help here trying to get rid of all the mail-login attempts on my server.

CSF is reporting a lot of "blocked distributed smtpauth attacks" in my logs recently. Although the attempts don't do much harm (still) and the ip's get blocked nicely, I simply like them to 'bugger off' at all since they have no business on my server and don't want the server to waste resources dealing with this.
I don't have users outside my own country (NL) that need mail-logins, so IMO there would be no need to let the rest of the world trying to get in.

On the server I already have a few countries blocked total access to the server through CSF, but I would like to do the opposite and 'allow' only selected countries access to SMTPAUTH.

I've been eyeballing the ALLOW-possibilities in CSF a few times but because of the many options, it's still not real clear to me on what to enter where yet.
Any help or pointers is appreciated.

 

[nobaloney]

If I recall correctly, you need your allow first, so you should allow all IP ranges for Netherlands providers through port 587, and then afterwards block all port 587 access from all IP#s.

I'm not sure if you can do specific port allow and deny through CSF, so you may need to do some studying and even write some entries by hand.

Note that even if you get it all right you could run into problems, for example when your users may be travelling outside the country and cannot send email.

Jeff

 

[zEitEr]

Any help or pointers is appreciated.

Check this:

auth_advertise_hosts

If any server authentication mechanisms are configured, Exim advertises them in response to an EHLO command only if the calling host matches this list. Otherwise, Exim does not advertise AUTH. Exim does not accept AUTH commands from clients to which it has not advertised the availability of AUTH. The advertising of individual authentication mechanisms can be controlled by the use of the server_advertise_condition generic authenticator option on the individual authenticators. See chapter 33 for further details.

...
...
...

If you want to advertise the availability of AUTH only when the connection is encrypted using TLS, you can make use of the fact that the value of this option is expanded, with a setting like this:

auth_advertise_hosts = ${if eq{$tls_in_cipher}{}{}{*}}

If $tls_in_cipher is empty, the session is not encrypted, and the result of the expansion is empty, thus matching no hosts. Otherwise, the result of the expansion is *, which matches all hosts.


Just a raw idea of mine: I'd disable completely AUTH on 25 and leave it only on 587 port. And/or allow AUTH only over TLS/SSL.

 

[zEitEr]

But of course if your network device, mobile phone or smartphone (probably PHP script) does not support SSL/TLS then it won't be able to connect to SEND emails if to use the example from my previous post.

 

[BBM]

I thought about the fact that a user could travel to another country. I could decide to also allow nearby/adjacent countries mail-access in those cases.
Thanks for the pointers and info. I'll look into them.

 

[Wanabo]

Struggling with this myself, that's how I found this thread.

CSF, configserver firewall has an option:

This option will only allow SMTP AUTH to be advertised to the IP addresses
listed in /etc/csf/csf.smtpauth on EXIM mail servers

The additional option CC_ALLOW_SMTPAUTH can be used with this option to
additionally restrict access to specific countries

This is to help limit attempts at distributed attacks against SMTP AUTH which
are difficult to achive since port 25 needs to be open to relay email

The reason why this works is that if EXIM does not advertise SMTP AUTH on a
connection, then SMTP AUTH will not accept logins, defeating the attacks
without restricting mail relaying

Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
that the lookup file in /etc/exim.smtpauth is regenerated from the
information from /etc/csf/csf.smtpauth plus any countries listed in
CC_ALLOW_SMTPAUTH

NOTE: To make this option work you MUST make the modifications to exim.conf
as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
after enabling the option here, otherwise this option will not work

To enable this option, set to 1 and make the exim configuration changes
To disable this option, set to 0 and undo the exim configuration changes
SMTPAUTH_RESTRICT = 1

From the readme.txt:

1. Modify your active exim.conf and add the following as a single line near the
top all on one line:

auth_advertise_hosts = ${if match_ip{$sender_host_address}{iplsearch;/etc/exim.smtpauth}{*}{}}

2. Restart exim

I checked what the active exim and config files are:

# whereis exim
exim: /usr/sbin/exim /etc/exim.pl /etc/exim.cert /etc/exim.key /etc/exim.smtpauth /etc/exim.conf /usr/share/man/man8/exim.8.gz

Added auth_advertise_hosts = ${if match_ip{$sender_host_address}{iplsearch;/etc/exim.smtpauth}{*}{}} to /etc/exim.conf near the top just below all the commenting.

Restarted everything as instructed.
Left /etc/csf/csf.smtpauth empty, because I wanted to check if exim is blocking my ip.
/etc/csf/csf.smtpauth:

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# The following IP addresses will allow EXIM to advertise SMTP AUTH
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# You need to enable SMTPAUTH_RESTRICT and modify the exim configuration to use
# this file. CC_ALLOW_SMTPAUTH can also be used to allow whole Country Codes

CSF generates /etc/exim.smtpauth:

# DO NOT EDIT THIS FILE
#
# Modify /etc/csf/csf.smtpauth and then restart csf and then lfd

127.0.0.0/8
"::1"
"::1/128"

But still I can send mail! I expected to be blocked as I did not submit my ip address to /etc/exim.smtpauth --> /etc/exim.smtpauth.
My connection to exim is secure though, that might interfere.

 

[BBM]

A day ago one of my users mailaccount got hacked and started sending spam. I was lucky to catch it in the act and it only managed to send out 32 emails.

But since the user changed the password, my server is now getting hit often with a botnet trying to login to his mailaccount again.
So I'm starting looking into hardening the mailsystem so it only allows login-access to connections from a certain country defined by the CountryCodes.

 

[Richard G]

I should not worry about it and ignore the botnet attempts. The botnets tries will stop eventually too.

If you block country's by CSF (or iptables directly) it will take a great effort on your iptables rules and it could even make things slower due to all the lines which need to be checked and it will use more memory.

 

[BBM]

The login-attempts indeed have stopped on this account.

I'm already using CC-blocking for regular traffic to the server but my idea was to further block, or actually only allow a couple of countries access for just the mail-service on the server.
But I could see the implications of the increased blocking rules and such.

 

[steventay]

hi all,

i am new in this.

this is a great feature.

can the below be achieve?

1. can receive email from any ip and accessing website on the server
2. only email auth is from by specific countries

thank you.