[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking 465 connections to mail server for specific IP address without using fail2ban

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 22/6/19 6:24 pm, john doe wrote:
>> I've blacklisted quite a number of IP addresses and CIDR blocks
>> from delivering email to my server with entries in the 
>> /etc/exim4/local_host_blacklist file.
>> 
>> Is there any config file that I can easily use to block 465
>> login attempts from bad IP addresses and CIDR blocks?
>> 
>> If there is no simple config file, what can I do without
>> resorting to use of fail2ban so that I can use a curated list of
>> blocked IP addresses.  I'm not sure I want to use iptables for
>> this either.
>> 
>> I /may/ end up blocking the IPs at the firewall (OPN Sense) level
>> yet.
> 
> Instead of files, I probably would use 'ipset', that way, you can
> use the ipset in exim iptables ...


Thanks!

Okay this might help someone else, here are the details of my
solution, it requires the iprange package and a logwatch email to do
the job.

Cheers
A.


References:

http://ipset.netfilter.org/
https://wiki.archlinux.org/index.php/Ipset

https://unix.stackexchange.com/questions/67738/ip-set-to-block-access-to
- -exim-and-dovecot



other possible useful references:
https://firewalld.org/documentation/



#!/bin/bash

declare -a tcp25_set tcp465_set

banned_ports_list=25,465,993,995

logwatch_file=/var/log/exim4/logwatch-email-20190622a.eml


# NB iprange will cleanup and uniquely sort the ip addresses list
#  - this /may/ also conflate plain ip entries to CIDR entries

tcp25_set=(
    $(
        grep 'login_saslauthd authenticator failed for.*:25:' \
            "${logwatch_file}" | sed \
                -e 's/^.*login_saslauthd authenticator failed for //' \
                -e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|iprange
    )
)

tcp465_set=(
    $(
        grep 'login_saslauthd authenticator failed for.*:465:' \
            "${logwatch_file}" | sed \
                -e 's/^.*login_saslauthd authenticator failed for //' \
                -e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|iprange
    )
)

# delete iptables rules if they exist
iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
    -m set --match-set bad-exim4-exploiters-net src -j DROP

iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
    -m set --match-set bad-exim4-exploiters-ip  src -j DROP

# destroy ipset bad-exim4-exploiters lists (if they exist)
ipset destroy bad-exim4-exploiters-net
ipset destroy bad-exim4-exploiters-ip

# create new ipset lists
ipset create  bad-exim4-exploiters-net  hash:net
ipset create  bad-exim4-exploiters-ip   hash:ip

# add entries for ipset bad-exim4-exploiters lists
for badip in "${tcp25_set[@]}" "${tcp465_set[@]}"
do
    # only add entries if they are not already existing
    if [[ -z "${badip##*\/*}" ]]
    then
        ipset add bad-exim4-exploiters-net "${badip}" -exist
    else
        ipset add bad-exim4-exploiters-ip  "${badip}" -exist
    fi
done

# add iptables rules to use ipsets
iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
    -m set --match-set bad-exim4-exploiters-net src -j DROP

iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
    -m set --match-set bad-exim4-exploiters-ip  src -j DROP

-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQ44bQAKCRCoFmvLt+/i
+091AP0RiZcP/+O2R8tzXZ0OwpSiRjmUDYGbJXo47nkJDD2WUQD/W8AZR/DRQuon
OY7rgvU6fPEz3M7mdWUppSxSqaiLHUc=
=8AnG
-----END PGP SIGNATURE-----
Reply to: