# Sendmail: how to limit number of auth requests?



## aupanner (Oct 10, 2014)

Had (another) hacker trying to abuse sendmail auth today.  The attempt was noticed by `sshguard` and the ipaddress blocked using a `PF` table.  *BUT* the remote end never dropped the connection and the pf rule only triggers on a *NEW* connection so the hacker was able to continue sending auth trials for several hours before I noticed.  I'd restarted `sendmail`, but `service sendmail restart` doesn't kill existing MTA connections (which is not at all what I expected).  I manually killed the offending process and now `PF` is doing its work.


```
root      5722   0.0  0.1  47648   2760 ??  I     2:54PM     0:00.12 sendmail: s99Lsb2G005722 static-153-130-73-69.nocdirect.com [69.73.130.153]: AUTH (sendmail)
```
This is a terrible security hole.  

Questions:
* Is there a way to get `sendmail` to close the MTA after an unsuccessful AUTH attempt?  
* Should `sshguard` tell `PF` to terminate any existing connections when a block is submitted?
* Should restarting `sendmail` also kill any existing MTA sessions?

What is the right way to deal with this problem?


----------



## aupanner (Oct 10, 2014)

Here's a patch that fixes the `sshguard` side of the world.  When `sshguard` bans an ipaddr, it should also flush that addr's state.  Then when the remote end tries to continue, it'll be forced back through PF and hit the new rule.  Unfortunately we need to disable the multi-addr list optimization because only one state addr can be flushed at a time.


```
--- src/fwalls/command_pf.h.orig        2014-10-10 13:26:40.426551874 -0700
+++ src/fwalls/command_pf.h     2014-10-10 13:31:46.977546696 -0700
@@ -39,3 +39,3 @@
  */
-#define COMMAND_BLOCK       PFCTL_PATH "/pfctl -Tadd -t sshguard $SSHG_ADDR"
+#define COMMAND_BLOCK       PFCTL_PATH "/pfctl -k $SSHG_ADDR -Tadd -t sshguard $SSHG_ADDR"

@@ -47,3 +47,3 @@
  */
-#define COMMAND_BLOCK_LIST  PFCTL_PATH "/pfctl -Tadd -t sshguard `echo $SSHG_ADDR | tr ',' ' '`"
+#define OLD_COMMAND_BLOCK_LIST  PFCTL_PATH "/pfctl -Tadd -t sshguard `echo $SSHG_ADDR | tr ',' ' '`"
```

I'd still like to be able to throttle sendmail's auth after N attempts if anyone knows how to do that.  Something like the apache max_requests_per_child parameter.


----------



## aupanner (Oct 15, 2014)

Thanks!  That helps.  My hacker was sending requests just under the 5m limit.


----------

