On 9/22/2019 12:59 PM, Bill Cole wrote:
On 20 Sep 2019, at 17:12, Daniel Miller wrote:
I'm seeing some higher levels of attempted logins from various
sources. Are there any automated filters that are suggested?
The Spamhaus SBL and XBL are safe for use on submission ports, as is the
Surriel 'PSBL.' It's possible for innocent infectees to get listed on
those DNSBLs or to coincidentally get a dynamic IP formerly held by an
infected device, but that is a manageable problem. Fail2ban is also
useful against credential-stuffer attacks.
Definitely helpful - thank you.
Or do I simply add a check_client_a_access and reference a manually
maintained blacklist?
If you do use a manual local blacklist for this (as I do on my personal
system) it is most useful to apply it at the network level: either in
your router/firewall or in a host-local packet filter (e.g. iptables,
ipfw, etc) because rejecting auth attempts at the application level is
relatively heavy compared to dropping SYNs. If your user population is
relatively small and homogeneous (e.g. a family or small business mail
system) you can block *almost* all of the Internet from port 587 and 465
with no damage. Even if you need to support "road warrior" users who
might log in from anywhere in the world, there are still some very large
networks that host lots of credential-stuffers and no legitimate mail
submission or IMAP users than can be blocked safely to good effect: AWS,
Azure, GCP, Digital Ocean, etc.
I totally concur that if an IP deserves blocking for one service it
generally does so for all - anyone attempting to brute-force any service
on my server has no need to ever touch it again.
Is there a "simple" table of such "credential-stuffer" network addresses
I can load on my router for blocking?
--
Daniel
