Moderating Brute force attacks to smtp auth


Verified User
May 26, 2006

I used this to automatically block brute force dictionary smtp auth attacks to my smtp server:

tail -f /var/log/exim/rejectlog | grep "535 Incorrect authentication data" | grep "[email protected]" | awk '{ gsub(/\[/,""); gsub(/\]:/,""); print $8 } ' | xargs -I'{}' /sbin/ipfw add 40000 deny ip from {} to me

The tail -f feeds it the rejects as they happen,
the first grep narrows it down to failed auth attempts
the second grep is optional and isolates a specific account that was being attacked,
the awk removes the []: from the ip (column 8) (there may be a better regex, I'm no master)
and xargs feeds it to ipfw to block

I just run this in a "screen" session and then disconnect so I can go back later to see what its been doing.

You need to of course clean this up from time to time as most attacks are from dynamic ip zombies, just delete all the ipfw rules at 40000 then script run again.

Good luck!