I recently suffered from SASL login authenticator attacks. In exim’s log file, an attempt may look like this,
2022-09-28 07:27:15 login_saslauthd_server authenticator failed for ([127.0.1.3]) [18.104.22.168]: 535 Incorrect authentication data (set_id=marketing)
At first I tried to block the attacks by inserting rules to the firewall manually, but it became unpractical, as the attacker uses a too broad spectrum of IPs.
The solution was fail2ban,
$ sudo apt-get install fail2ban
Create /etc/fail2ban/jail.d/exim.conf and add,
[exim] port = smtp,465,submission logpath = %(exim_main_log)s enabled = true bantime = 2d findtime = 1d maxretry = 1
bantime is the time the IP is blocked by the firewall. findtime is the time fail2ban searches the log files for recurrences.
I adjusted bantime and findtime to reflect the nature of the attacks. I’m not showing real values here, of course, as I don’t want to disclose strategic information to the attacker. Use the MTA logs to estimate how often an IP is used and adjust the two parameters accordingly.
If the log files are rotated faster than findtime, you may do two things: 1) Change the log rotation frequency by editing /etc/logrotate.d/exim4-base and changing “daily” to “weekly” or “monthly”. 2) Edit /etc/fail2ban/jail.d/exim.conf and add the entry exim_main_log to read,
exim_main_log = /var/log/exim/mainlog /var/log/exim/mainlog.1
including current and previously rotated log files. The newline is necessary.
Restart the fail2ban daemon after changes,
$ sudo systemctl restart fail2ban
To list the banned IPs,
$ sudo fail2ban-client status exim
and to list the rules in the chain,
$ sudo iptables -L f2b-exim -v -n --line-numbers