This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Attacks - Block/Blacklist IP

Hi guys,

I am failing to find an effective way to blacklist of IP addresses that are generating reoccurring SMTP attacks (Brute force password guessing).

Sophos is used as a Relay host for Exchange.

Please note that I do not want to create deny rules in the firewall and make a complete mess.

I have blacklisted the IP address into:
Email Protection > SMTP > Relaying Tab > Host/Network Blacklist
however though this seems to not be having any effect as the same IP address are generating more attacks.
Sophos blocks them for 600 sec after to many passwords guessing but that is just not enough.

Is there any way I can maintain IP blacklist on the WAN interface without messing up with IP Tables?

This thread was automatically locked due to age.

0 Scott_Klassen over 9 years ago

At Definitions & Users>>Authentication Services>>Advanced Tab, increase the block access time.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 GZgidnick over 9 years ago

Lovely mate. This forum rules!
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago

GZ, it sounds like you have an incorrect configuration. Your setup should be similar to Exchange with SMTP Proxy.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 GZgidnick over 9 years ago

Hi Bob,

The double checked the setup as per your list and is all good.

Thanks
Mariano
Cancel
Vote Up 0 Vote Down

Cancel
0 GZgidnick over 9 years ago

The block is valid for up to 86400. (Users>>Authentication Services>>Advanced Tab)
They keep bugging me again after 24hours.

So there isn't any Quick-access-IP-ban-list is it?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago

GZ, I sent you there for an overall evaluation. In fact, there's no reason that folks should have an opportunity to login to your SMTP relay. The only thing that should be allowed to relay off the SMTP Proxy is your Exchange server. Transparent mode should NOT be enabled.

Cheers - Bob
PS This appears to be the answer to your other question or ???

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 GZgidnick over 9 years ago

Hi Bob,

Thats precisely hows setup, however other hosts are still presented with the opportunity to attempt to logon onto the Relay. And furthermore, although I maintain a host blacklist, the very same blacklisted hosts are allowed logon attempts once the timeout expires.
- stmp.png
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 vilic over 9 years ago
Hi GZgidnick,

You are right, in my Telnet SMTP testing blacklisted hosts are rejected after RCPT TO command, but UTM allows them AUTH LOGIN which comes earlier in SMTP communication.

SMTP command order is like:
[LIST=1]
HELO/EHLO
AUTH LOGIN (optional)
MAIL FROM
RCPT TO
DATA
QUIT
[/LIST]

From UTM logs:
2014:09:01-11:52:54 utm exim-in[30205]: 2014-09-01 11:52:54 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="*.*.111.140" from="vilic@****" to="vilic@***" size="-1" reason="host_blacklist" extra="*.*.111.140 blacklisted"
2014:09:01-11:52:54 utm exim-in[30205]: 2014-09-01 11:52:54 H=(test.test.com) [*.*.111.140]:61829 F= rejected RCPT vilic@****: Access denied (host blacklisted)

2014:09:01-11:59:05 utm exim-in[30379]: 2014-09-01 11:59:05 server_login authenticator failed for (test.test.com) [*.*.111.140]:62020: 535 Incorrect authentication data (set_id=vilic)
Cancel
Vote Up 0 Vote Down

Cancel
0 vilic over 9 years ago

Blackhole DNAT is your solution (as someone else mentioned here on your another thread).

DNAT:
SMTP spammers (Network group) -> SMTP -> External (WAN) -> Change destination to fake host (1.1.1.1).

After that spammers IPs will not be available to even make connection to port 25 (scrshot).
Cancel
Vote Up 0 Vote Down

Cancel
0 Sascha Paris over 9 years ago

The built-in automatic blocking feature works quite nice, but there are some possible enhancements which you may vote in our feature request portal for...

http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/5415110-global-bot-script-kiddie-brute-force-ip-blackl

and

Network Security: Block Malicious/Botnet/Bad IP's using Blacklist "Service"

/Sascha
Cancel
Vote Up 0 Vote Down

Cancel