On 29/06/10 11:46, Chris Davies wrote:
Alan Chandler<alan@chandlerfamily.org.uk> wrote:I have just moved my mail server (exim4 split config based) from one machine to another, and in doing so started examining the logs. I am being hit with multiple attempts to relay - several a second. They come in bursts from one host, then come from somewhere else.I would like to put some for of inconvenient barrier up so perhaps they stop bothering me.What is a good way of deterring them?Fail2ban is remarkably good at helping deter probes such as relay attempts. Get it working "out of the box" and then tweak it to match against other exim messages. Chris
That looks a great idea. I will try it.I suppose that I can pick up the IP addressed from /var/log/exim4/rejectlog and then use an iptables chain with something like
iptables -N smtp-in iptables -A smtp-in -s banned-ip -j DROP ... iptables -A smtp-in -j ACCEPT iptables -A INPUT --dport 25 -j smtp-inI already have something setup like this as my firewall - and I actually already have two chains already defined one "inet-in" and the other "i-estab" for already established connections.
A Question.If I drop these banned ip addresses AFTER they have established a connection am I likely to do them more damage than just dropping the first connection.
I am thinking that allowing the spam sender to establish the TCP connection and then just dropping all the subsequent packets will be slightly harder for them to detect - and will tie up an outgoing connection on their mail server until they can timeout, rather than dropping the initial connection attempt. On the other hand, just dropping them before even establishing the connection might make them think there is no server there at all.
Thoughts ? -- Alan Chandler http://www.chandlerfamily.org.uk