On 30/06/10 15:48, Chris Davies wrote:
Alan Chandler<a...@chandlerfamily.org.uk> wrote:
I have just moved my mail server (exim4 split config based) from one
machine to another, and in doing so started examining the logs. I am
being hit with multiple attempts to relay - several a second. They come
in bursts from one host, then come from somewhere else.
On 29/06/10 11:46, Chris Davies wrote:
Fail2ban is remarkably good at helping deter probes such as relay
attempts [...]
Alan Chandler<a...@chandlerfamily.org.uk> wrote:
I suppose that I can pick up the IP addressed from
/var/log/exim4/rejectlog and then use an iptables chain [..]
Actually, fail2ban does this automatically for you. It adds a DROP for
the source IP address into its own fail2ban chain. (And later removes
them after a configurable period of time.)
Chris
Just to report I got this setup and its working great. I needed to make
a couple of changes to the default Debian setup, so I created two local
files.
first /etc/fail2ban/jail.local to define the jail for exim (as it is not
included as standard in the Debian configuration). This just required a
few simple lines
[exim]
enabled=true
port = smtp
filter = exim
logpath = /var/log/exim4/rejectlog
banaction = iptables
bantime = 86400
which bans offending ip addresses for a whole day (This is the first day
and I want to see how big the iptables chain grows - I get the
impression that I get attacked in cycles of about a day - so I might
want to increase the ban time a bit in future)
And also I needed to change the default filter for exim, since it did
not include any attempts to use me as a relay. So I made
/etc/fail2ban/filter.d/exim.local
with the following line changed from the exim.conf file in the same
directory
failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable
address|relay not permitted)
In running this for a couple of hours it has built an iptables chain of
about 50 entries. It is clear that the spammers recycle around, some of
the older members of the chain now have about 1000 hits and then the new
entries get progressively less.
One downside seems to be that it creates lots of exim processes, and I
am not sure why yet. It may be open connections with dropping data as a
result of the recently added iptables rule
--
Alan Chandler
http://www.chandlerfamily.org.uk
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4c2cad10.9050...@chandlerfamily.org.uk
