On 17/07/2021 21:13, Slavko via mailop wrote:
Please, i want ask others if are these (mostly) Brasil attempts know to
others too or am i "special" target?
I seem to get continuous SMTP stuff. Work is much worse than my
personal server. But we have 10's of domains and due to historical
reasons the server on a few different IP addresses.
And finally, please can someone help me to create fail2ban rule, which
will catch network IP from these logs? While i am able to do own f2b
rules and actions, i do not know how to catch (and use) network address
in them and i cannot find any resource for it.
I didn't really get on with fail2ban. I do have it running, but it
pulls very little for exim.
I did write my own script to follow the exim mainlog with a bunch of
regexp and drop IP addresses into ipset. (task for future is to make
it work nft natively)
And I go for long blocks - days rather than minutes. Because most
scanning seems to happen real slow now.
Things that helped
In exim
acl_connect:
accept
hosts = +relay_from_hosts
accept
hosts = +trusted_nets
accept hosts = *
delay = 6s
The delay 6 means that the connection is opened and exim waits 6 seconds
- this confuses some botnets. And the resulting `AUTH command used
when not advertise` really stands out in the logs. I've blocked 14 IPs
using this in the last 10 minutes.
obviously somebody might write a better botnet email client ....
I'm also lucky that our usernames follow a bit of a format which isn't
the email address. Seems quite common for bots to have a few guesses
about what the username might be - again, easy to block.
I also really look for auth requests that mention users who have left -
these will never be genuine (years after), so block away.
My main motivation for getting the blocking right is to avoid having
1000s of connections from scanners, and so real mail not getting through.
--
Tim Bray
Huddersfield, GB
t...@kooky.org
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
