1. sshguard Avatar sshguard
  2. sshguard
  3. sshguard
  4. Issues

PROPOSAL: support sendmail greet_pause errors

Issue #131 new
Former user created an issue

Sendmail allows a greet_pause setting which delays the MTA initial HELO to the remote server. A compliant MTA is supposed to wait for HELO before sending any commands. When greet_pause is enabled, non-compliant MTAs (often, but not always, spammers) are rejected.

Enabling greet_pause can reduce spam, but can lose mail from non-compliant MTAs.

Enabling greet_pause support in sshguard can reduce (dramatically) spammer traffic, but can also lock out non-compliant MTAs.

System: sendmail, freebsd-12.1, sshguard-2.4.1

Example patterns: w3D2jErB076643: showerscomputer0april.bid [89.144.0.155] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 w3C700Om010007: ip24.ip-167-114-161.net [167.114.161.24] did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA w3D3Gmd8099213: static-215.56.93.111-tataidc.co.in [111.93.56.215] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4

Context Diff: *** src/parser/attack_parser.y.orig Tue Jun 23 16:01:26 2020 --- src/parser/attack_parser.y Sat Aug 29 15:48:58 2020

81,86 --- 81,88 ---- / sendmail / %token SENDMAIL_RELAYDENIED_PREF SENDMAIL_RELAYDENIED_SUFF %token SENDMAIL_AUTHFAILURE_PREF SENDMAIL_AUTHFAILURE_SUFF + / sendmail greetpause / + %token SENDMAIL_GREETPAUSE_PREF SENDMAIL_GREETPAUSE_SUFF / postfix */ %token POSTFIX_NO_AUTH_PREF POSTFIX_SASL_LOGINERR_PREF POSTFIX_SASL_LOGINERR_SUFF %token POSTFIX_GREYLIST POSTFIX_GREYLIST_SUFF

281,287 *

sendmailmsg: SENDMAIL_RELAYDENIED_PREF addr SENDMAIL_RELAYDENIED_SUFF ! | SENDMAIL_AUTHFAILURE_PREF addr SENDMAIL_AUTHFAILURE_SUFF; ;

postfixmsg: --- 283,290 ----

sendmailmsg: SENDMAIL_RELAYDENIED_PREF addr SENDMAIL_RELAYDENIED_SUFF ! | SENDMAIL_AUTHFAILURE_PREF addr SENDMAIL_AUTHFAILURE_SUFF ! | SENDMAIL_GREETPAUSE_PREF addr SENDMAIL_GREETPAUSE_SUFF ;

postfixmsg:

*** src/parser/attack_scanner.l.orig Tue Jun 23 16:01:26 2020 --- src/parser/attack_scanner.l Sat Aug 29 15:53:07 2020

40,47 %s ssh_notallowed ssh_reversemap ssh_disconnect ssh_badproto ssh_badkex cockpit_authfail / for SSHGuard / %s sshguard_attack sshguard_block ! / for Mail services / ! %s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr exim_esmtp_loginerr sendmail_relaydenied sendmail_authfailure postfix_loginerr postfix_greylist opensmtpd_failedcmd / for FTP services / %s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr / for HTTP services / --- 40,47 ---- %s ssh_notallowed ssh_reversemap ssh_disconnect ssh_badproto ssh_badkex cockpit_authfail / for SSHGuard / %s sshguard_attack sshguard_block ! / for Mail services + sendmail greetpause / ! %s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr exim_esmtp_loginerr sendmail_relaydenied sendmail_authfailure sendmail_greetpause postfix_loginerr postfix_greylist opensmtpd_failedcmd / for FTP services / %s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr / for HTTP services */

231,243 "SMTP protocol error in \"AUTH LOGIN\" H="({HOSTNAME}" ")?"(".") [" { BEGIN(exim_esmtp_loginerr); return EXIM_ESMTP_LOGINFAIL_PREF; } <exim_esmtp_loginerr>"] "("AUTH command used when not advertised"|"LOGIN authentication mechanism not supported") { BEGIN(INITIAL); return EXIM_ESMTP_LOGINFAIL_SUFF; }

! / Sendmail / "Relaying denied. IP name lookup failed [" { BEGIN(sendmail_relaydenied); return SENDMAIL_RELAYDENIED_PREF; } <sendmail_relaydenied>"]" { BEGIN(INITIAL); return SENDMAIL_RELAYDENIED_SUFF; }

! / Sendmail / [A-Za-z0-9]+": AUTH failure ("[A-Za-z0-9-]+"): ".+"relay="."[" { BEGIN(sendmail_authfailure); return SENDMAIL_AUTHFAILURE_PREF; } <sendmail_authfailure>"]". { BEGIN(INITIAL); return SENDMAIL_AUTHFAILURE_SUFF; }

/ dovecot / ("(libdovecot."[0-9.]+".dylib) ")?(imap|pop3)"-login: ""Info: "?("Aborted login"|Disconnected)" (auth failed, "{NUMBER}" attempts"."): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; } --- 231,251 ---- "SMTP protocol error in \"AUTH LOGIN\" H="({HOSTNAME}" ")?"(".") [" { BEGIN(exim_esmtp_loginerr); return EXIM_ESMTP_LOGINFAIL_PREF; } <exim_esmtp_loginerr>"] "("AUTH command used when not advertised"|"LOGIN authentication mechanism not supported") { BEGIN(INITIAL); return EXIM_ESMTP_LOGINFAIL_SUFF; }

! / Sendmail relaying / "Relaying denied. IP name lookup failed [" { BEGIN(sendmail_relaydenied); return SENDMAIL_RELAYDENIED_PREF; } <sendmail_relaydenied>"]" { BEGIN(INITIAL); return SENDMAIL_RELAYDENIED_SUFF; }

! / Sendmail auth failure / [A-Za-z0-9]+": AUTH failure ("[A-Za-z0-9-]+"): ".+"relay="."[" { BEGIN(sendmail_authfailure); return SENDMAIL_AUTHFAILURE_PREF; } <sendmail_authfailure>"]". { BEGIN(INITIAL); return SENDMAIL_AUTHFAILURE_SUFF; } + + / Sendmail greetpause / + / add sendmail greetpause / + / w3D2jErB076643: showerscomputer0april.bid [89.144.0.155] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 / + / w3C700Om010007: ip24.ip-167-114-161.net [167.114.161.24] did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA / + / w3D3Gmd8099213: static-215.56.93.111-tataidc.co.in [111.93.56.215] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 / + [A-Za-z0-9]+": "[^[]"[" { BEGIN(sendmail_greetpause); return SENDMAIL_GREETPAUSE_PREF; } + <sendmail_greetpause>"]"(" (may be forged)")?" did not issue MAIL/EXPN/VRFY/ETRN during connection". { BEGIN(INITIAL); return SENDMAIL_GREETPAUSE_SUFF; }

/ dovecot / ("(libdovecot."[0-9.]+".dylib) ")?(imap|pop3)"-login: ""Info: "?("Aborted login"|Disconnected)" (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }

*** src/parser/tests.txt.orig Tue Jun 23 16:01:26 2020 --- src/parser/tests.txt Sat Aug 29 15:49:17 2020

517,519 * --- 517,531 ---- May 9 11:11:17 sshd[30876]: Invalid user www from 139.59.34.17 port 51066 100 139.59.34.17 4 10 M + + # Sendmail greetpause + w3D2jErB076643: showerscomputer0april.bid [89.144.0.155] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 + 250 89.144.0.155 4 10 + M + w3C700Om010007: ip24.ip-167-114-161.net [167.114.161.24] did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA + 250 167.114.161.24 4 10 + M + w3D3Gmd8099213: static-215.56.93.111-tataidc.co.in [111.93.56.215] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4 + 250 111.93.56.215 4 10 + M +

Comments (0)

  1. Log in to comment
Assignee
Type
proposal
Priority
minor
Status
new
Component
parser
Votes
0
Watchers
None
Jira: the preferred issue tracker for Bitbucket. Join the team!