Re: Deterring mail relay attempts

To: debian-user@lists.debian.org
Subject: Re: Deterring mail relay attempts
From: Alan Chandler <alan@chandlerfamily.org.uk>
Date: Thu, 01 Jul 2010 15:58:24 +0100
Message-id: <[🔎] 4C2CAD10.9050704@chandlerfamily.org.uk>
In-reply-to: <422sf7x5pg.ln2@news.roaima.co.uk>
References: <4C28DA0B.9090002@chandlerfamily.org.uk> <2hvof7xs3l.ln2@news.roaima.co.uk> <4C29E971.9080901@chandlerfamily.org.uk> <422sf7x5pg.ln2@news.roaima.co.uk>

On 30/06/10 15:48, Chris Davies wrote:

Alan Chandler<alan@chandlerfamily.org.uk>  wrote:

I have just moved my mail server (exim4 split config based) from one
machine to another, and in doing so started examining the logs.  I am
being hit with multiple attempts to relay - several a second.  They come
in bursts from one host, then come from somewhere else.


On 29/06/10 11:46, Chris Davies wrote:

Fail2ban is remarkably good at helping deter probes such as relay
attempts [...]


Alan Chandler<alan@chandlerfamily.org.uk>  wrote:

I suppose that I can pick up the IP addressed from
/var/log/exim4/rejectlog and then use an iptables chain [..]


Actually, fail2ban does this automatically for you. It adds a DROP for
the source IP address into its own fail2ban chain. (And later removes
them after a configurable period of time.)

Chris

Just to report I got this setup and its working great. I needed to makea couple of changes to the default Debian setup, so I created two localfiles.

first /etc/fail2ban/jail.local to define the jail for exim (as it is notincluded as standard in the Debian configuration). This just required afew simple lines


[exim]
enabled=true
port = smtp
filter = exim
logpath = /var/log/exim4/rejectlog
banaction = iptables
bantime = 86400

which bans offending ip addresses for a whole day (This is the first dayand I want to see how big the iptables chain grows - I get theimpression that I get attacked in cycles of about a day - so I mightwant to increase the ban time a bit in future)

And also I needed to change the default filter for exim, since it didnot include any attempts to use me as a relay. So I made


/etc/fail2ban/filter.d/exim.local

with the following line changed from the exim.conf file in the samedirectory

failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteableaddress|relay not permitted)

In running this for a couple of hours it has built an iptables chain ofabout 50 entries. It is clear that the spammers recycle around, some ofthe older members of the chain now have about 1000 hits and then the newentries get progressively less.

One downside seems to be that it creates lots of exim processes, and Iam not sure why yet. It may be open connections with dropping data as aresult of the recently added iptables rule


--
Alan Chandler
http://www.chandlerfamily.org.uk

Reply to:

Follow-Ups:
- Re: Deterring mail relay attempts
  - From: Joe <joe@jretrading.com>
- Re: Deterring mail relay attempts
  - From: lee <lee@yun.yagibdah.de>
- Re: Deterring mail relay attempts
  - From: Chris Davies <chris-usenet@roaima.co.uk>

Prev by Date: Re: OTF conversion without OpenOffice
Next by Date: Burning a .iso on an USB key
Previous by thread: Re: System can no longer boot off of crypted drive
Next by thread: Re: Deterring mail relay attempts
Index(es):
- Date
- Thread