Re: [exim] sudo - iptables trick

Top Page
Delete this message
Reply to this message
Author: Tom Kistner
Date:  
To: exim-users
CC: jethro.binks
Subject: Re: [exim] sudo - iptables trick
Tom Kistner wrote:

> I do this via a script I called "timeban". It's universal so it can be
> used for other blocking purposes as well. Handles management of a
> blocking chain. Can also manage counters per-IP so you can block IPs
> after multiple infractions ... useful for SSH dictionary "attacks" too.


OK, here's the script:

http://duncanthrax.net/timeban/timeban



Docs and config are integrated in the script itself.

To use this thing in Exim, create a macro like:

IPT_TEMP_BLACKHOLE = ${run {/usr/local/bin/timeban add \
                $sender_host_address}{1}{1}}


(Note: this is an instant ban - read the timeban docs!)

There may be the problem that the Exim user can't add iptables rules.
In this case you should set up a sudo rule for /usr/local/bin/timeban.


Use the macro in appropriate positions (it always expands to '1'):

Example 1 (DATA ACL):

   drop message = Spam detected ($spam_score)
          condition = ${if <{$message_size}{500k}}
          spam = nobody
          condition = IPT_TEMP_BLACKHOLE


Example 2 (RCPT ACL):

   drop message = Blacklisted sender domain
        sender_domains = +envelope_domain_blacklist
        condition = IPT_TEMP_BLACKHOLE


   drop message = $sender_host_address blacklisted at $dnslist_domain
        dnslists = list.dsbl.org:sbl-xbl.spamhaus.org
        condition = IPT_TEMP_BLACKHOLE



If you want to use this outside of Exim, I have written a small
log-surfing script that can call timeban on log events. It's
undocumented FTTB, but you'll get the idea when you look at it:

http://duncanthrax.net/timeban/logexec

I wanted to add this to the Wiki as well but can't figure out how to add
a page (can't edit the front page ... hmmm :)

/tom