The idea is not to build a 100% foolproof solution. The idea is to limit the attack surface.
Lets say you have 3 users with really crappy passwords: Username | Password | First login Postmaster : retsamtsoP : USA GoodUser : Password123 : Germany AnotherUser : qwertyuiop : Denmark Now lets say you implement my suggestion. A bot from china or russia will never be able to crack those accounts, because the GeoIP will fail the authentication, so even with correct username/password those accounts will still say failed. Even if they do a long shot and use a TOR node or VPN from USA, they will still only have a chance against the Postmaster account, nothing else. So you greatly limit the attack surface, since the attacker must "be" in the same region as the attacked account to even have an chance to succeed. That there is some false positives doesn't matter, because those people must still have the real account name and password to succeed, and they must know which accounts that are really geoIPt to that country. If all users are in the same country, you simply geoIP in the firewall, and then the port 587 will be closed and invisible for every hosts except from the right country, so bots that are scanning large IP series will just skip over your server. -----Ursprungligt meddelande----- Från: Exim-users <[email protected]> För Niels Dettenbach via Exim-users Skickat: den 19 februari 2019 20:00 Till: [email protected]; Sebastian Nielsen <[email protected]> Kopia: 'Odhiambo Washington' <[email protected]> Ämne: Re: [exim] Spam though my server Am Dienstag, 19. Februar 2019, 15:57:07 CET schrieb Sebastian Nielsen via Exim-users: > Most better firewalls do have an built-in country/GeoIP database, if not, > you can easily add one. GeoIP is far from "reliable" for any SMTP/MTA, as there is no geolocation of a IP address. It offers only a "probably in this country" info in context of a IP address (user). This means the amount of false positives in practice is significant, except if users came from "known" AS networks or RIR assignmenets / route info. So this may (!) help/work in small and/or very defined network topologies. I know the situation in germany is a bit different, as the internet topology / "market" is very "centralized" here, but even in germany many less kown IP access products / services available get "geo-resolved" over other (usually western) countries / regions by GeoIP (even the commercial version). I know from many african and asian Mail Providers who use "US", "european" or "canadian" IPs for their service to get around "problems" with such Geo- blocking solutions. Proper geolocation of IPs is a "science by itself", but still far from reliable. Many brute force attack attempts against our exim systems (germany+luxembourg) are currently coming from france and germany today. For smaller systems, solutions like fail2ban could help "far": https://www.fail2ban.org/wiki/index.php/Exim But even here: Be aware of possible "bad cases" where i.e. larger NAT networks "use" the service and "sloppy" user clients generate false positives. Beside Exim functionality (see Exim DOS prevention - incl. resource "reserve" subsystem) firewall rules to slow out "to much" of new initiated sessions within a time window could help. But brute force attackes are normal / usual on larger SMTP services today - important is to make it difficult to prevent any success of such attackes (even distributed ones) and "DOS effects" of them and similiar attackes. good luck, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
