On Thu, Mar 13, 2008 at 04:03:18PM -0700, Paul Johnson wrote:
> On Thursday 13 March 2008 03:03:01 pm Andrew Sackville-West wrote:
>
> > also, fail2ban's later versions (sid at least) include support for
> > exim and it will install cleanly on etch.
>
> fail2ban looks interesting. Is there any way to have it use exim's ACLs
> instead of doing it at the packet level?
well, maybe, but I don't think it's really intended to operate in any
way other than at the packet level. Essentially, it uses iptables to
drop ip's that have failed to authenticate enough times.
So, you can tweak the regexs to look for different things in the
log. If some ip fails an ACL in a way that is distinguishable in the
log then fail2ban could block that ip.
For example, I've added a regex to mine to specifically look for
failed relaying.
The default line is:
failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable
address)
I've added:
\[<HOST>\] .*relay not permitted
so that if anyone tries to relay and fails then they get banned for 24
hours.
subsequently, I added this one:
\[<HOST>\] .*rejected RCPT.*
whic is pretty much a catch all. If anyone fails to send for whatever
reason (whether ACL or relaying from an unauthorized ip, whatever)
they get banned. It probably makes the other rules superfluous...
A
Attachment:
signature.asc
Description: Digital signature