Best approach to block SMTP brute force attack

Author
nsantin
Gold Member
  • Total Posts : 124
  • Scores: 2
  • Reward points: 0
  • Joined: 2005/03/06 20:08:20
  • Status: offline
2013/10/11 16:01:16 (permalink)
0

Best approach to block SMTP brute force attack

Hi All,

my mail server (Exchange) is getting a number of brute force AUTH login attempts.

What have others done to prevent this? Should I create a custom IPS signature with a " RATE" option on port 25?

or should i setup some type of Dos Sensor on tcp sync (or other Dos option?).

Here is a snippet of my SMTP log to expose the guilty, as you can see it' s mass connections attempts from a single IP at a time. My windows server logs show the actaul failed authentication attempts and the logins they are trying (sales, support, orders, info, etc.)

2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5672 76 10 1094 SMTP - - - -
2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5656 76 10 1063 SMTP - - - -
2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - -
2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5812 76 10 1219 SMTP - - - -
2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5812 76 10 1218 SMTP - - - -
2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5937 76 10 1343 SMTP - - - -
2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5968 76 10 1375 SMTP - - - -
2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - -
2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 6063 76 10 1485 SMTP - - - -
2013-10-11 18:18:50 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5797 76 10 1219 SMTP - - - -
2013-10-11 18:18:51 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - -
2013-10-11 18:18:51 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - -
2013-10-11 18:18:51 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - -
2013-10-11 18:18:51 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5734 76 10 1109 SMTP - - - -
2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5859 76 10 1266 SMTP - - - -
2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5719 76 10 1094 SMTP - - - -
2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5766 76 10 1094 SMTP - - - -
2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5797 76 10 1094 SMTP - - - -
2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - -
2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 0 SMTP - - - -
2013-10-11 18:18:52 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5782 76 10 1063 SMTP - - - -
2013-10-11 18:18:54 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 EHLO - +361OPERADB 250 0 306 15 16 SMTP - - - -
2013-10-11 18:18:54 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5813 76 10 1094 SMTP - - - -
2013-10-11 18:18:55 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5937 76 10 1140 SMTP - - - -
2013-10-11 18:18:55 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5890 76 10 1078 SMTP - - - -
2013-10-11 18:18:55 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5922 76 10 1110 SMTP - - - -
2013-10-11 18:18:55 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 6031 76 10 1140 SMTP - - - -
2013-10-11 18:18:56 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5922 76 10 1109 SMTP - - - -
2013-10-11 18:18:58 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5875 76 10 1078 SMTP - - - -
2013-10-11 18:18:58 97.86.64.162 361OPERADB SMTPSVC1 WEBSAN08 10.0.0.16 0 QUIT - 361OPERADB 240 5937 76 10 1125 SMTP - - - -


#1

2 Replies Related Threads

    harald21
    Gold Member
    • Total Posts : 200
    • Scores: 0
    • Reward points: 0
    • Joined: 2007/11/15 05:42:55
    • Location: Troisdorf/Germany
    • Status: offline
    RE: Best approach to block SMTP brute force attack 2013/10/14 00:54:58 (permalink)
    4 (1)
    Hallo,

    we solved this issue successfully with a DoS sensor for SMTP connections and a custom IPS signature for POP3 connections.

    F-SBID( --name POP3.Brute.Force; --protocol tcp; --service POP3; --flow from_server,reversed; --pattern " -ERR [AUTH] Password supplied" ; --rate 10,180; --track src_ip; )

    Sincerely
    Harald
    #2
    nsantin
    Gold Member
    • Total Posts : 124
    • Scores: 2
    • Reward points: 0
    • Joined: 2005/03/06 20:08:20
    • Status: offline
    RE: Best approach to block SMTP brute force attack 2013/10/15 07:20:26 (permalink)
    0
    Thanks Harald!

    Using your POP sample I made the following adjustments to make a SMTP specific signature as well.

    F-SBID( --name " SMTP.Brute.Force" ; --pattern " AUTH LOGIN" ; --service SMTP; --no_case; --context header; --rate 10,180; --track src_ip;)

    This, with the POP signature and the Dos sensor seems to be the best combination.


    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5