Sendmail: how to limit number of auth requests?

A

aupanner

Had (another) hacker trying to abuse sendmail auth today. The attempt was noticed by sshguard and the ipaddress blocked using a PF table. BUT the remote end never dropped the connection and the pf rule only triggers on a NEW connection so the hacker was able to continue sending auth trials for several hours before I noticed. I'd restarted sendmail, but service sendmail restart doesn't kill existing MTA connections (which is not at all what I expected). I manually killed the offending process and now PF is doing its work.

Code: 
root      5722   0.0  0.1  47648   2760 ??  I     2:54PM     0:00.12 sendmail: s99Lsb2G005722 static-153-130-73-69.nocdirect.com [69.73.130.153]: AUTH (sendmail)
This is a terrible security hole.

Questions:
* Is there a way to get sendmail to close the MTA after an unsuccessful AUTH attempt?
* Should sshguard tell PF to terminate any existing connections when a block is submitted?
* Should restarting sendmail also kill any existing MTA sessions?

What is the right way to deal with this problem?
 
Here's a patch that fixes the sshguard side of the world. When sshguard bans an ipaddr, it should also flush that addr's state. Then when the remote end tries to continue, it'll be forced back through PF and hit the new rule. Unfortunately we need to disable the multi-addr list optimization because only one state addr can be flushed at a time.

Code: 
--- src/fwalls/command_pf.h.orig        2014-10-10 13:26:40.426551874 -0700
+++ src/fwalls/command_pf.h     2014-10-10 13:31:46.977546696 -0700
@@ -39,3 +39,3 @@
  */
-#define COMMAND_BLOCK       PFCTL_PATH "/pfctl -Tadd -t sshguard $SSHG_ADDR"
+#define COMMAND_BLOCK       PFCTL_PATH "/pfctl -k $SSHG_ADDR -Tadd -t sshguard $SSHG_ADDR"

@@ -47,3 +47,3 @@
  */
-#define COMMAND_BLOCK_LIST  PFCTL_PATH "/pfctl -Tadd -t sshguard `echo $SSHG_ADDR | tr ',' ' '`"
+#define OLD_COMMAND_BLOCK_LIST  PFCTL_PATH "/pfctl -Tadd -t sshguard `echo $SSHG_ADDR | tr ',' ' '`"

I'd still like to be able to throttle sendmail's auth after N attempts if anyone knows how to do that. Something like the apache max_requests_per_child parameter.
 
You must log in or register to reply here.
Back
Top