From: Alan Chandler on 1 Jul 2010 11:00 On 30/06/10 15:48, Chris Davies wrote: > Alan Chandler<alan(a)chandlerfamily.org.uk> wrote: >> I have just moved my mail server (exim4 split config based) from one >> machine to another, and in doing so started examining the logs. I am >> being hit with multiple attempts to relay - several a second. They come >> in bursts from one host, then come from somewhere else. > > On 29/06/10 11:46, Chris Davies wrote: >> Fail2ban is remarkably good at helping deter probes such as relay >> attempts [...] > > Alan Chandler<alan(a)chandlerfamily.org.uk> wrote: >> I suppose that I can pick up the IP addressed from >> /var/log/exim4/rejectlog and then use an iptables chain [..] > > Actually, fail2ban does this automatically for you. It adds a DROP for > the source IP address into its own fail2ban chain. (And later removes > them after a configurable period of time.) > > Chris > > Just to report I got this setup and its working great. I needed to make a couple of changes to the default Debian setup, so I created two local files. first /etc/fail2ban/jail.local to define the jail for exim (as it is not included as standard in the Debian configuration). This just required a few simple lines [exim] enabled=true port = smtp filter = exim logpath = /var/log/exim4/rejectlog banaction = iptables bantime = 86400 which bans offending ip addresses for a whole day (This is the first day and I want to see how big the iptables chain grows - I get the impression that I get attacked in cycles of about a day - so I might want to increase the ban time a bit in future) And also I needed to change the default filter for exim, since it did not include any attempts to use me as a relay. So I made /etc/fail2ban/filter.d/exim.local with the following line changed from the exim.conf file in the same directory failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address|relay not permitted) In running this for a couple of hours it has built an iptables chain of about 50 entries. It is clear that the spammers recycle around, some of the older members of the chain now have about 1000 hits and then the new entries get progressively less. One downside seems to be that it creates lots of exim processes, and I am not sure why yet. It may be open connections with dropping data as a result of the recently added iptables rule -- Alan Chandler http://www.chandlerfamily.org.uk -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C2CAD10.9050704(a)chandlerfamily.org.uk
From: Joe on 1 Jul 2010 13:00 On 01/07/10 15:58, Alan Chandler wrote: > > One downside seems to be that it creates lots of exim processes, and I > am not sure why yet. It may be open connections with dropping data as a > result of the recently added iptables rule > Some sites try many simultaneous connections. Have you got this set? exim4/conf.d/main/02_exim-config_options: .. .. ..ifndef SMTP_ACCEPT_MAX_PER_HOST SMTP_ACCEPT_MAX_PER_HOST = 3 ..endif smtp_accept_max_per_host = SMTP_ACCEPT_MAX_PER_HOST .. .. If it's there, and it wasn't in mine by default, you can then set and alter it in exim4/exim4.conf.localmacros where things are easier to find. Don't forget you've used a delay so there may be many overlapping open connections waiting out the timeout. -- Joe -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C2CC62D.4090209(a)jretrading.com
From: lee on 1 Jul 2010 13:50 On Thu, Jul 01, 2010 at 03:58:24PM +0100, Alan Chandler wrote: > first /etc/fail2ban/jail.local to define the jail for exim (as it is > not included as standard in the Debian configuration). This just > required a few simple lines > One downside seems to be that it creates lots of exim processes, and > I am not sure why yet. It may be open connections with dropping > data as a result of the recently added iptables rule Just to be curious, what is the thinking/idea/advantage behind disallowing connections by firewall rules instead of denying the relaying or blacklisting the originating IPs through exims configuration? -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100701174344.GH8185(a)yun.yagibdah.de
From: Alan Chandler on 1 Jul 2010 16:20 On 01/07/10 18:43, lee wrote: > On Thu, Jul 01, 2010 at 03:58:24PM +0100, Alan Chandler wrote: > >> first /etc/fail2ban/jail.local to define the jail for exim (as it is >> not included as standard in the Debian configuration). This just >> required a few simple lines > >> One downside seems to be that it creates lots of exim processes, and >> I am not sure why yet. It may be open connections with dropping >> data as a result of the recently added iptables rule > > Just to be curious, what is the thinking/idea/advantage behind > disallowing connections by firewall rules instead of denying the > relaying or blacklisting the originating IPs through exims > configuration? > > I would like to cause as much disruption to these guys as possible. My thinking was that an immediate "Relay not permitted" allows them to move on and try the next one (or worse just repeating with another address on MY connection - which I have discovered is what they like to do). On the other hand just dropping the packets means that they have to timeout the connection before they can move on. After all, all this bandwidth hitting my connection does make it harder for people to get a good response from my other services such as my web site. I am just a personal individual sitting at the end of my ISP's broadband connection. -- Alan Chandler http://www.chandlerfamily.org.uk -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C2CF5BA.5090303(a)chandlerfamily.org.uk
From: Chris Davies on 1 Jul 2010 19:30 lee <lee(a)yun.yagibdah.de> wrote: > Just to be curious, what is the thinking/idea/advantage behind > disallowing connections by firewall rules instead of denying the > relaying or blacklisting the originating IPs through exims > configuration? A firewall rule can blacklist the IP address rather than just the (SMTP) service. From my personal perspective, that fits the bill exactly. I just wish I'd started using fail2ban a few years ago! Chris -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/e9jvf7xgjf.ln2(a)news.roaima.co.uk
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: Current solution for ia32 on amd64? Next: Need dependency bug workaround for pulseaudio. |