[SSHGuard-users] [PATCH] A new rule for sendmail for consideration

[Jonathan W. <jw...@at...>]

Hi all

Our mail host logs a large number of repeated sendmail messages of the
following form:

  <address> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

While isolated messages from some addresses do appear, there are a number of
times where multiple messages are seen from a particular address, each
within a second or so of the previous one.  It's not entirely clear what the
intent of these connections is, but it doesn't seem to be about sending
mail.  To that end, blocking the offending hosts with sshguard seems to be a
worthwhile exercise.

Find below a patch which adds such a rule to sshguard 1.7.0.  I have applied
this to 1.6.4 and tested it successfully (I haven't deployed 1.7.0 on the
server yet due to the now resolved hosts backend issue).  If you feel that
this is a useful addition to sshguard, please consider applying it to the
repo.

Regards
  jonathan

This patch against sshguard 1.7.0 adds recognition of the sendmail message

  <address> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

--- a/sshguard-1.7.0/src/parser/attack_parser.y	2016-08-07 01:51:51.000000000 +0930
+++ b/sshguard-1.7.0/src/parser/attack_parser.y	2016-09-29 12:28:54.105184227 +0930
@@ -88,6 +88,7 @@
 /* sendmail */
 %token SENDMAIL_RELAYDENIED_PREF SENDMAIL_RELAYDENIED_SUFF
 %token SENDMAIL_AUTHFAILURE_PREF SENDMAIL_AUTHFAILURE_SUFF
+%token SENDMAIL_NOISSUE_PREF SENDMAIL_NOISSUE_SUFF
 /* postfix */
 %token POSTFIX_NO_AUTH_PREF POSTFIX_SASL_LOGINERR_PREF POSTFIX_SASL_LOGINERR_SUFF
 /* FreeBSD's FTPd */
@@ -267,7 +268,8 @@
    ;
 
 sendmailmsg:
-   SENDMAIL_RELAYDENIED_PREF addr SENDMAIL_RELAYDENIED_SUFF;
+   SENDMAIL_RELAYDENIED_PREF addr SENDMAIL_RELAYDENIED_SUFF |
+   SENDMAIL_NOISSUE_PREF addr SENDMAIL_NOISSUE_SUFF;
    | SENDMAIL_AUTHFAILURE_PREF addr SENDMAIL_AUTHFAILURE_SUFF { attack->dangerousness *= 2; } ;
    ;
 
--- a/sshguard-1.7.0/src/parser/attack_scanner.l	2016-08-07 01:51:51.000000000 +0930
+++ b/sshguard-1.7.0/src/parser/attack_scanner.l	2016-09-29 12:34:05.139946762 +0930
@@ -40,7 +40,7 @@
  /* for Login services */
 %s ssh_notallowed ssh_loginerr ssh_reversemap ssh_disconnect ssh_badproto ssh_badkex
  /* for Mail services */
-%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied sendmail_authfailure postfix_loginerr
+%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied sendmail_authfailure sendmail_noissue postfix_loginerr
  /* for FTP services */
 %s freebsdftpd_loginerr  proftpd_loginerr  pureftpd_loginerr vsftpd_loginerr
 
@@ -169,6 +169,10 @@
 [A-Za-z0-9]+": AUTH failure ("[A-Za-z0-9-]+"): ".+"relay=".*"[" { BEGIN(sendmail_authfailure); return SENDMAIL_AUTHFAILURE_PREF; }
 <sendmail_authfailure>"]".*                                     { BEGIN(INITIAL); return SENDMAIL_AUTHFAILURE_SUFF; }
 
+ /* Sendmail */
+.*"["                                                           { BEGIN(sendmail_noissue); return SENDMAIL_NOISSUE_PREF; }
+<sendmail_noissue>"] ".*"did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA"    { BEGIN(INITIAL); return SENDMAIL_NOISSUE_SUFF; }
+
  /* dovecot */
 (imap|pop3)"-login: Aborted login (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
 <dovecot_loginerr>", lip=".+                                        { BEGIN(INITIAL); return DOVECOT_IMAP_LOGINERR_SUFF; }