Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nsantin
New Contributor III

Best approach to block SMTP brute force attack

Hi All, my mail server (Exchange) is getting a number of brute force AUTH login attempts. What have others done to prevent this? Should I create a custom IPS signature with a " RATE" option on port 25? or should i setup some type of Dos Sensor on tcp sync (or other Dos option?). Here is a snippet of my SMTP log to expose the guilty, as you can see it' s mass connections attempts from a single IP at a time. My windows server logs show the actaul failed authentication attempts and the logins they are trying (sales, support, orders, info, etc.) 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5672 76 10 1094 SMTP - - - - 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5656 76 10 1063 SMTP - - - - 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - - 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5812 76 10 1219 SMTP - - - - 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5812 76 10 1218 SMTP - - - - 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5937 76 10 1343 SMTP - - - - 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5968 76 10 1375 SMTP - - - - 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - - 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 6063 76 10 1485 SMTP - - - - 2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5797 76 10 1219 SMTP - - - - 2013-10-11 18:18:51 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - - 2013-10-11 18:18:51 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - - 2013-10-11 18:18:51 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - - 2013-10-11 18:18:51 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5734 76 10 1109 SMTP - - - - 2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5859 76 10 1266 SMTP - - - - 2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5719 76 10 1094 SMTP - - - - 2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5766 76 10 1094 SMTP - - - - 2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5797 76 10 1094 SMTP - - - - 2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - - 2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - - 2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5782 76 10 1063 SMTP - - - - 2013-10-11 18:18:54 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 16 SMTP - - - - 2013-10-11 18:18:54 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5813 76 10 1094 SMTP - - - - 2013-10-11 18:18:55 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5937 76 10 1140 SMTP - - - - 2013-10-11 18:18:55 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5890 76 10 1078 SMTP - - - - 2013-10-11 18:18:55 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5922 76 10 1110 SMTP - - - - 2013-10-11 18:18:55 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 6031 76 10 1140 SMTP - - - - 2013-10-11 18:18:56 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5922 76 10 1109 SMTP - - - - 2013-10-11 18:18:58 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5875 76 10 1078 SMTP - - - - 2013-10-11 18:18:58 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5937 76 10 1125 SMTP - - - -
2 REPLIES 2
harald21
Contributor

Hallo, we solved this issue successfully with a DoS sensor for SMTP connections and a custom IPS signature for POP3 connections. F-SBID( --name POP3.Brute.Force; --protocol tcp; --service POP3; --flow from_server,reversed; --pattern " -ERR [AUTH] Password supplied" ; --rate 10,180; --track src_ip; ) Sincerely Harald
nsantin
New Contributor III

Thanks Harald! Using your POP sample I made the following adjustments to make a SMTP specific signature as well. F-SBID( --name " SMTP.Brute.Force" ; --pattern " AUTH LOGIN" ; --service SMTP; --no_case; --context header; --rate 10,180; --track src_ip;) This, with the POP signature and the Dos sensor seems to be the best combination.
Labels
Top Kudoed Authors