Exim: limit AUTH LOGIN retries in same connection

[Tha_Duck]

Is is possible to limit the amount of retries for AUTH LOGIN to Exim? We have some security in place to limit the amount of connections per minute, but what happens now is that brute force attacks just use 1 connection. If you look at SSH by example after 3 retries connection is dropped, would be great if that was possible with Exim too.

Too bad I cannot find any information on that topic, ideal situation would be if I was able to drop the connection after 10 unsuccessful tries.

Server info:
DirectAdmin 1.45.2
Exim 4.76
Exim.pl version 10 (no idea if it safe to just update?)

Thanks!

 

[smtalk]

Please check the following:
http://help.directadmin.com/item.php?id=404
http://help.directadmin.com/item.php?id=380
http://configserver.com/cp/csf.html (to integrate with BFM: http://forum.directadmin.com/showthread.php?t=44839)

To block compromised accounts: https://github.com/Exim/exim/wiki/BlockCracking
More how-to's that might help: https://github.com/Exim/exim/wiki

I'd also recommend updating Exim and exim.pl (yes, it's safe to update it to version 17: http://files1.directadmin.com/services/exim.pl.17, more info: http://www.directadmin.com/features.php?id=1605).

 

[zEitEr]

Is is possible to limit the amount of retries for AUTH LOGIN to Exim?

Hello,

check this:

[TD="bgcolor: #EAEAEA"] smtp_accept_max_nonmail [/TD]
[TD="bgcolor: #EAEAEA"]Use: main [/TD]
[TD="bgcolor: #EAEAEA"]Type: integer [/TD]
[TD="bgcolor: #EAEAEA"]Default: 10 [/TD]

Exim counts the number of “non-mail” commands in an SMTP session, and drops the connection if there are too many. This option defines “too many”. The check catches some denial-of-service attacks, repeated failing AUTHs, or a mad client looping sending EHLO, for example. The check is applied only if the client host matches smtp_accept_max_nonmail_hosts.

When a new message is expected, one occurrence of RSET is not counted. This allows a client to send one RSET between messages (this is not necessary, but some clients do it). Exim also allows one uncounted occurrence of HELO or EHLO, and one occurrence of STARTTLS between messages. After starting up a TLS session, another EHLO is expected, and so it too is not counted. The first occurrence of AUTH in a connection, or immediately following STARTTLS is not counted. Otherwise, all commands other than MAIL, RCPT, DATA, and QUIT are counted.

[TD="bgcolor: #EAEAEA"] smtp_accept_max_nonmail_hosts [/TD]
[TD="bgcolor: #EAEAEA"]Use: main [/TD]
[TD="bgcolor: #EAEAEA"]Type: host list † [/TD]
[TD="bgcolor: #EAEAEA"]Default: * [/TD]

You can control which hosts are subject to the smtp_accept_max_nonmail check by setting this option. The default value makes it apply to all hosts. By changing the value, you can exclude any badly-behaved hosts that you have to live with.


http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html