OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: SMTP server account probing

Re: SMTP server account probing

Scott Fendley (dsfcomp.uark.edu)
Tue, 9 Mar 1999 16:16:13 -0600 

Couldn't you just compile sendmail with tcp_wrapper support, and have a
script parsing your logs so that if someone manages to get n # of pokes at
your system then their Ip address and/or DNS server will be placed in the
hosts.deny.  Then as an admin you remove those that need to be removed
after the problem user has been properly slapped or you could possibly run
an automatic removal of k # of hours (or days).  I think some of our good
programmers out there could easily write up something thtat will help
prevent these users from even getting to sendmail and causing it to fork
or anything.

Anything I am missing here?

Scott




On Tue, 9 Mar 1999 Valdis.KletnieksVT.EDU wrote:

> On Tue, 09 Mar 1999 09:36:04 PST, you said:
> > Perhaps someone with better sendmail experience could come up with an idea
> > to automatically disconnect connections that are issuing more than 25 VRFY
> > statements at a time?
>
> Wrong solution.  They'll just reconnect and try another 25.  All you've bought
> then is an extra fork() of the sendmail daemon every 25 pokes.  Remember,
> these people don't give a s**t if they waste your resources...
>
> Maybe what's needed is a new ioctl on a socket, so you can do this:
>
>     if (vrfy_cnt > 25) {
>         ioctl(net_socket,SO_NOSENDFIN);
>         clkose(net_socket);
>     }
>
> so you can free up the socket at YOUR end, and intentionally fail to
> send the FIN packet, so the OTHER end gets to wait for a timeout.
>
> Yes, yes, yes, I *KNOW* it's Evil and Against The RFCs.  But it's tempting. ;)
>
> --
> 				Valdis Kletnieks
> 				Computer Systems Senior Engineer
> 				Virginia Tech
>
>