sendmail login tarpit

w_hairst · 02-24-2015, 12:23 PM

I've been running a small (mostly just me!) mail/web/game server for years. I get a lot of login attempts on SMTP 25 (I'm running sendmail). On my server, the only legitimate use for logging in on port 25 is Webmail sending a message - and it logs in from/to localhost.

Is there a reasonably easy way to tarpit login attempts on port 25 that aren't coming from 127.0.0.1 / on the loopback interface, while leaving non-login (incoming) mail delivery alone?

agentbuzz · 03-03-2015, 11:24 AM

You can't "log in" to a sendmail box on port 25. All you can do is connect to the sendmail daemon and issue commands that it understands.

Code:

user@sendmail ~]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 sendmail.domain.com ESMTP Sendmail 8.14.4/8.14.8; Tue, 3 Mar 2015 10:53:47 -0600
ehlo x
250-sendmail.domain.com Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
quit
Connection closed by foreign host.

Tarpitting is something you do to slow down spammers once they know sendmail is there. I think you mean you'd like to block some foreign IP space from even making a connection.
Here's one way of doing that:

Code:

#!/bin/bash
### Block all traffic from AFGHANISTAN (af) and CHINA (CN) and RUSSIA (RU). Use ISO code ###
ISO="af cn ru"

### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep

### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
cleanOldRules

# create a new iptables list
$IPT -N $SPAMLIST

for c  in $ISO
do
        # local zone file
        tDB=$ZONEROOT/$c.zone

        # get fresh zone file
        $WGET -O $tDB $DLROOT/$c.zone

        # country specific log message
        SPAMDROPMSG="$c Country Drop"

        # get
        BADIPS=$(egrep -v "^#|^$" $tDB)
        for ipblock in $BADIPS
        do
           $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
           $IPT -A $SPAMLIST -s $ipblock -j DROP
        done
done

You could put rules in your /etc/sysconfig/iptables, instead:

Code:

-A INPUT -s 182.61.0.0/16 -j LOG
-A INPUT -s 182.61.0.0/16 -j DROP

w_hairst · 03-04-2015, 07:09 AM

When I said "log in", I was referring to SMPT AUTH - provide a username and password to get higher-than-nobody privileges, like sending outgoing mail. I get dozens or hundreds of AUTH attempts a day (once got 13,000+), and NONE are legitimate. The spammers/crackers know the server is there. Yes, I'd like to tarpit them, based on the fact that they are performing illegitimate AUTH attempts (any AUTH attempt is illegitimate here!). Since I don't necessarily know all countries where legitimate email is coming from, I don't want to block connections by country.

Summary - "login" meaning AUTH, and tarpit meaning tarpit.

bathory · 03-04-2015, 08:06 AM

Quote:

Originally Posted by w_hairst

When I said "log in", I was referring to SMPT AUTH - provide a username and password to get higher-than-nobody privileges, like sending outgoing mail. I get dozens or hundreds of AUTH attempts a day (once got 13,000+), and NONE are legitimate. The spammers/crackers know the server is there. Yes, I'd like to tarpit them, based on the fact that they are performing illegitimate AUTH attempts (any AUTH attempt is illegitimate here!). Since I don't necessarily know all countries where legitimate email is coming from, I don't want to block connections by country.

Summary - "login" meaning AUTH, and tarpit meaning tarpit.

You can use fail2ban to block repeating offenders IPs for a certain amount of time

jpollard · 03-04-2015, 09:34 AM

If the only "login" is from the local host, you could set the sendmail configuration to only listen on localhost, rather than the default of any network connection.

You can also use IP tables to just drop any connection to port 25 on any interface EXCEPT "lo".

jpollard · 03-04-2015, 09:34 AM

If the only "login" is from the local host, you could set the sendmail configuration to only listen on localhost, rather than the default of any network connection.

You can also use IP tables to just drop any connection to port 25 on any interface EXCEPT "lo".

w_hairst · 03-04-2015, 07:21 PM

The tough part of the configuration is that it needs to accept incoming mail (addressed to accounts on this server) on port 25, while not permitting any AUTH attempt to succeed if it's not coming from localhost. I'm not positive that an AUTH command from localhost needs to be permitted - I'll have to look at SquirrelMail's requirements for outgoing mail.

Ideally I'd like to tarpit the illegitimate AUTH attempts, as an attempt to slow down the crackers. My second choice would be to simply not allow AUTH attempts on non-localhost connections.