How do I stop mail hacking attempts?

schmidtc63 · February 2, 2015, 3:17pm

The logs on my mail server are full of authorization attempts from bots. Quite often, there will be 100s of attempts in 2 or 3 minutes from the same ip trying various email addresses on both smtp and pop. How do I stop these?

I have the following rules setup in the router to handle the smtp side (note: the actual ip address has been replaced with 1.2.3.4 in this example):

#---- Our outgoing mail server is susceptible to exploit, especially if someone’s email account is compromised. So, let’s block outgoing mail that meets some criteria
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward dst-address=1.2.3.4 comment=“Add Spammers to the list for 3 hours” connection-limit=30,32 dst-port=25 limit=20/1m,0 protocol=tcp
add action=drop chain=forward comment=“Avoid spammers action” dst-address=1.2.3.4 dst-port=25 protocol=tcp src-address-list=spammers

The problem is, nothing is ever added to the address-list so the second rule is doing nothing. How do I fix this? I contacted Mikrotik support and this is the response I got:

Please try to use either connection-limit or limit on your rule but not both at the same time.

However, this does not seem to be correct.

Any help is greatly appreciated!

Thanks,
Chris

jarda · February 3, 2015, 10:23am

Maybe there is some accepting rule before. And put the dropping rule before the adding to list rule.

xavierbt · February 3, 2015, 2:38pm

You must protect at mail server level before.
Implement fail2ban in your email server and integrate with ROS following this instructions: http://wiki.mikrotik.com/wiki/Use_Mikrotik_as_Fail2ban_firewall

schmidtc63 · February 3, 2015, 11:25pm

Really, what I wanted to do was flag any ip addresses that tried, for example, 5 connections in a given time period. The previous rule was not working because it was blocking too many legitimate connections. I could not find the proper combination of connection-limit, packet limit and whatnot. Nothing worked.

Since there is no way to track the number of connections in a given time frame, I did this:

/ip firewall mangle
add action=add-src-to-address-list address-list=SMTP_Con5 chain=prerouting in-interface=ether1 dst-address=1.2.3.4 protocol=tcp dst-port=25,587,10025 src-address-list=SMTP_Con4 address-list-timeout=1m connection-state=new
add action=add-src-to-address-list address-list=SMTP_Con4 chain=prerouting in-interface=ether1 dst-address=1.2.3.4 protocol=tcp dst-port=25,587,10025 src-address-list=SMTP_Con3 address-list-timeout=20 connection-state=new
add action=add-src-to-address-list address-list=SMTP_Con3 chain=prerouting in-interface=ether1 dst-address=1.2.3.4 protocol=tcp dst-port=25,587,10025 src-address-list=SMTP_Con2 address-list-timeout=40 connection-state=new
add action=add-src-to-address-list address-list=SMTP_Con2 chain=prerouting in-interface=ether1 dst-address=1.2.3.4 protocol=tcp dst-port=25,587,10025 src-address-list=SMTP_Con1 address-list-timeout=80 connection-state=new
add action=add-src-to-address-list address-list=SMTP_Con1 chain=prerouting in-interface=ether1 dst-address=1.2.3.4 protocol=tcp dst-port=25,587,10025 src-address-list!Pingdom address-list-timeout=160 connection-state=new

This creates 5 lists – SMTP_Con1 - SMTP_Con5. If an address has not been seen before the time limit, it is added to Con1. If the address connects again and it’s on Con1, it is then added to Con2 and so forth. Then, in the firewall filter, I drop addresses on the Con5 list. This allows four connections from the same ip. Nothing legitimate has been blocked, and it has stopped the spamming/hacking attempts.

The only issue I have right now is that the list timers are reset for each address in each list if that address connects again before the address expires from the list. If anyone has any suggestions for that, I’d appreciate it!

Thanks,
Chris