网普科技
网普管理员
网普科技人民公仆
积分 3080
发贴 2863
注册 2004-6-26
来自 网普科技
状态 离线
|
#1 Exim Dictionary Attack ACL for cPanel[ZT]
Exim Dictionary Attack ACL for cPanel
What is it?
A common technique for spammers to use is what is known as a dictionary attack on a domain. A dictionary attack, in our context, is a single SMTP connection that attempts to send email from a spam source to a random set of names on our domain, e.g. bob@ourdomain.com fred@ourdomain.com harry@ourdomain.com, in the hope that one of the many hundreds that we try will get a hit and deliver our spam.
This technique is used by spammers mainly because most people don't advertise their email addresses (due to spam!) and they want to access this untapped market.
To counter this we've developed the following Dictionary Attack ACL for the Exim mail server for free, with specific instructions on how to use it on a cPanel server. It has been developed so that it not only stops an active dictionary attack, but also prevents further attempts to send email to our server from the spammers IP address.
How does it work?
The ACL has two main functions - the detection and the block.
We detect a dictionary attack by checking the number of failed RCPT commands issues during a single SMTP connection. The RCPT command is part of the SMTP protocol that tells the receiving server who the email is for. Since in a dictionary attack, only configured email addresses will be accepted**, rejections at this stage indicate a dictionary attack if they're more than just a mistake. We set this level, by default, to 4 hits and you're out. This means that we provide an appropriate error to the sending server and drop the SMTP connection - this is often enough for the attack to cease.
We block a dictionary attack by performing an addition action after detection. This action runs a perl script that appends the spamming servers IP address to a file (if it isn't already present). In an additional ACL we check any sending servers IP address against the IP's in the deny file and if present simply drop the connection.
How do I implement it on a cPanel server?
While we're not aware of any significant bugs, there's no guarantee or warranty provided with the script. We also do not provide any support for it. If you require support and contact us, there may be a charge for any work or advice provided. If you want support, we offer a cheap package to do it all for you over here.
You use it at your own risk.
* You need to grab the small perl script that maintains the deny file:
wget http://www.configserver.com/free/exim_deny.txt
mv exim_deny.txt /etc/exim_deny.pl
* You then need to set appropriate file permissions and ownership on it and create an empty deny file:
touch /etc/exim_deny
touch /etc/exim_deny_whitelist
chown mailnull:mail /etc/exim_deny /etc/exim_deny.pl /etc/exim_deny_whitelist
chmod 700 /etc/exim_deny.pl
chmod 600 /etc/exim_deny /etc/exim_deny_whitelist
* Nearly there. You now need to add the ACL to the exim configuration file. This is best done through the WHM Exim Configuration Editor so that it isn't overwritten if cPanel upgrade exim:
WHM > Exim Configuration Editor > Switch to Advanced Mode
* Now scroll down to the first set of three texboxes in a row. The second textbox will already contain ACLs and it is into this one that you need to add these two new ones. You need to add the following code after the following line with a clear empty line after each segment:
accept hosts = :
*
So, including that line it should look like:
accept hosts = :
drop hosts = /etc/exim_deny
!hosts = /etc/exim_deny_whitelist
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack
!hosts = +relay_hosts
!authenticated = *
drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient
!hosts = /etc/exim_deny_whitelist
!hosts = +relay_hosts
!authenticated = *
# Accept bounces to lists even if callbacks or other checks would fail
* Then scroll to the bottom of the page and click Save
* You should confirm that you can both send and receive email through your server
* Then create a CRON job that cleans out old entries in the database of IP addresses so that they don't build up (and incase any innocent mistakes have someones IP address blocked). This can easily be done by creating a symbolic link to the perl script to run it as often you want to clean out the old IP's. The script has been designed to only clean out entries that are older than the interval that you choose. To create an hourly CRON job:
ln -s /etc/exim_deny.pl /etc/cron.hourly/
That's basically it. You can monitor whether it is effective by searching the exim reject log for the term "dictionary attack" with:
grep "dictionary attack" /var/log/exim_mainlog
You can also list the IP addresses in the /etc/exim_deny file.
If you want to whitelist specific IP addresses you can add them each on their own line within /etc/exim_deny_whitelist.
** Note: The dictionary attack ACL will not work if you have your domains Default Address set to anything other than :fail: because, by definition, if you accept catchall email, there's nothing to bounce. You should also always use :fail: in preference to :blackhole: because :fail: rejects email in invalid recipients at the RCPT stage of SMTP mail processing.
To remove the need for a Default Address in cPanel, you should setup any email addresses that you use, in addition to your Mail accounts, as Forwarders to those Mail accounts. Once done, you can then set the Default Address to :fail:
For an explanation as to why you should always use :fail: and not :blackhole: we have a page here with the details.
If you used :blackhole: in the past for all your domains, you can quickly substitute :fail: instead using:
replace :blackhole: :fail: -- /etc/valiases/*
While we are happy to provide these scripts for free, we are a small outfit that runs on a slim margin. If you do decide to use them, we'd be eternally grateful for any donation you think might express your gratitude so that we can continue to develop and provide them:
That's it. If you don't feel confident doing any of this yourself, or if you get into a horrible mess, we offer a cheap package to do it all for you over here.
Version: 1.3 - 5th February 2005
Instructions: 1st August 2005
|
天理路上甚宽,稍游心,胸中便觉广大宏朗;
人欲路上甚窄,才寄迹,眼前俱是荆棘泥涂。
网普科技,优质美国主机服务!
美国Linux主机,美国虚拟主机
支持PHP+MYSQL+cPanel+EMAIL
为用户负责,拒绝反动、赌博及色情内容! QQ:126818
 发送QQ消息 |
|
