On 30/06/10 15:48, Chris Davies wrote:
Alan Chandler<alan@chandlerfamily.org.uk> wrote:I have just moved my mail server (exim4 split config based) from one machine to another, and in doing so started examining the logs. I am being hit with multiple attempts to relay - several a second. They come in bursts from one host, then come from somewhere else.On 29/06/10 11:46, Chris Davies wrote:Fail2ban is remarkably good at helping deter probes such as relay attempts [...]Alan Chandler<alan@chandlerfamily.org.uk> wrote:I suppose that I can pick up the IP addressed from /var/log/exim4/rejectlog and then use an iptables chain [..]Actually, fail2ban does this automatically for you. It adds a DROP for the source IP address into its own fail2ban chain. (And later removes them after a configurable period of time.) Chris
Just to report I got this setup and its working great. I needed to make a couple of changes to the default Debian setup, so I created two local files.
first /etc/fail2ban/jail.local to define the jail for exim (as it is not included as standard in the Debian configuration). This just required a few simple lines
[exim] enabled=true port = smtp filter = exim logpath = /var/log/exim4/rejectlog banaction = iptables bantime = 86400which bans offending ip addresses for a whole day (This is the first day and I want to see how big the iptables chain grows - I get the impression that I get attacked in cycles of about a day - so I might want to increase the ban time a bit in future)
And also I needed to change the default filter for exim, since it did not include any attempts to use me as a relay. So I made
/etc/fail2ban/filter.d/exim.localwith the following line changed from the exim.conf file in the same directory
failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address|relay not permitted)
In running this for a couple of hours it has built an iptables chain of about 50 entries. It is clear that the spammers recycle around, some of the older members of the chain now have about 1000 hits and then the new entries get progressively less.
One downside seems to be that it creates lots of exim processes, and I am not sure why yet. It may be open connections with dropping data as a result of the recently added iptables rule
-- Alan Chandler http://www.chandlerfamily.org.uk