Prev: Current solution for ia32 on amd64?
Next: Need dependency bug workaround for pulseaudio.
From: Alan Chandler on 1 Jul 2010 11:00
On 30/06/10 15:48, Chris Davies wrote:
> Alan Chandler<alan(a)chandlerfamily.org.uk> wrote:
>> I have just moved my mail server (exim4 split config based) from one
>> machine to another, and in doing so started examining the logs. I am
>> being hit with multiple attempts to relay - several a second. They come
>> in bursts from one host, then come from somewhere else.
>
> On 29/06/10 11:46, Chris Davies wrote:
>> Fail2ban is remarkably good at helping deter probes such as relay
>> attempts [...]
>
> Alan Chandler<alan(a)chandlerfamily.org.uk> wrote:
>> I suppose that I can pick up the IP addressed from
>> /var/log/exim4/rejectlog and then use an iptables chain [..]
>
> Actually, fail2ban does this automatically for you. It adds a DROP for
> the source IP address into its own fail2ban chain. (And later removes
> them after a configurable period of time.)
>
> Chris
>
>

Just to report I got this setup and its working great. I needed to make
a couple of changes to the default Debian setup, so I created two local
files.

first /etc/fail2ban/jail.local to define the jail for exim (as it is not
included as standard in the Debian configuration). This just required a
few simple lines

[exim]
enabled=true
port = smtp
filter = exim
logpath = /var/log/exim4/rejectlog
banaction = iptables
bantime = 86400


which bans offending ip addresses for a whole day (This is the first day
and I want to see how big the iptables chain grows - I get the
impression that I get attacked in cycles of about a day - so I might
want to increase the ban time a bit in future)

And also I needed to change the default filter for exim, since it did
not include any attempts to use me as a relay. So I made

/etc/fail2ban/filter.d/exim.local

with the following line changed from the exim.conf file in the same
directory

failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable
address|relay not permitted)

In running this for a couple of hours it has built an iptables chain of
about 50 entries. It is clear that the spammers recycle around, some of
the older members of the chain now have about 1000 hits and then the new
entries get progressively less.

One downside seems to be that it creates lots of exim processes, and I
am not sure why yet. It may be open connections with dropping data as a
result of the recently added iptables rule

--
Alan Chandler
http://www.chandlerfamily.org.uk


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/4C2CAD10.9050704(a)chandlerfamily.org.uk
From: Joe on 1 Jul 2010 13:00
On 01/07/10 15:58, Alan Chandler wrote:
>
> One downside seems to be that it creates lots of exim processes, and I
> am not sure why yet. It may be open connections with dropping data as a
> result of the recently added iptables rule
>
Some sites try many simultaneous connections. Have you got this set?

exim4/conf.d/main/02_exim-config_options:
..
..
..ifndef SMTP_ACCEPT_MAX_PER_HOST
SMTP_ACCEPT_MAX_PER_HOST = 3
..endif
smtp_accept_max_per_host = SMTP_ACCEPT_MAX_PER_HOST
..
..

If it's there, and it wasn't in mine by default, you can then set and
alter it in exim4/exim4.conf.localmacros where things are easier to find.

Don't forget you've used a delay so there may be many overlapping open
connections waiting out the timeout.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/4C2CC62D.4090209(a)jretrading.com
From: lee on 1 Jul 2010 13:50
On Thu, Jul 01, 2010 at 03:58:24PM +0100, Alan Chandler wrote:

> first /etc/fail2ban/jail.local to define the jail for exim (as it is
> not included as standard in the Debian configuration). This just
> required a few simple lines

> One downside seems to be that it creates lots of exim processes, and
> I am not sure why yet. It may be open connections with dropping
> data as a result of the recently added iptables rule

Just to be curious, what is the thinking/idea/advantage behind
disallowing connections by firewall rules instead of denying the
relaying or blacklisting the originating IPs through exims
configuration?


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/20100701174344.GH8185(a)yun.yagibdah.de
From: Alan Chandler on 1 Jul 2010 16:20
On 01/07/10 18:43, lee wrote:
> On Thu, Jul 01, 2010 at 03:58:24PM +0100, Alan Chandler wrote:
>
>> first /etc/fail2ban/jail.local to define the jail for exim (as it is
>> not included as standard in the Debian configuration). This just
>> required a few simple lines
>
>> One downside seems to be that it creates lots of exim processes, and
>> I am not sure why yet. It may be open connections with dropping
>> data as a result of the recently added iptables rule
>
> Just to be curious, what is the thinking/idea/advantage behind
> disallowing connections by firewall rules instead of denying the
> relaying or blacklisting the originating IPs through exims
> configuration?
>
>

I would like to cause as much disruption to these guys as possible. My
thinking was that an immediate "Relay not permitted" allows them to move
on and try the next one (or worse just repeating with another address on
MY connection - which I have discovered is what they like to do). On the
other hand just dropping the packets means that they have to timeout the
connection before they can move on.

After all, all this bandwidth hitting my connection does make it harder
for people to get a good response from my other services such as my web
site.

I am just a personal individual sitting at the end of my ISP's broadband
connection.

--
Alan Chandler
http://www.chandlerfamily.org.uk


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/4C2CF5BA.5090303(a)chandlerfamily.org.uk
From: Chris Davies on 1 Jul 2010 19:30
lee <lee(a)yun.yagibdah.de> wrote:
> Just to be curious, what is the thinking/idea/advantage behind
> disallowing connections by firewall rules instead of denying the
> relaying or blacklisting the originating IPs through exims
> configuration?

A firewall rule can blacklist the IP address rather than just the (SMTP)
service. From my personal perspective, that fits the bill exactly. I
just wish I'd started using fail2ban a few years ago!

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/e9jvf7xgjf.ln2(a)news.roaima.co.uk
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Current solution for ia32 on amd64?
Next: Need dependency bug workaround for pulseaudio.