Marc Perkel wrote:
>
> W B Hacker wrote:
>
>>Marc Perkel wrote:
>>
>>
>>>Some of you I'm srue are experts at this. I can probably get something
>>>to work but I want to do it right. And it's fairly simple.
>>>
>>>What I want to do is create a simple client/server application where
>>>clients running Exim can easily report IP addresses to the server.
>>>The server will accept the IP addresses and execute a command to add the IP
>>>address to a MySQL database and increment a counter. What I'm
>>>specifically doing is counting spam/ham based on IP address. But - if I
>>>can just receive the IP address I'll figure put how to process it.
>>>
>>>I have xinentd if that maes things easy.
>>>
>>>On the client side I want to in an efficient way be able to pass a
>>>string containing the IP address to the server. Maybe talk to an open port?
>>>
>>>So - what's the simplest way to accomplish this?
>>>
>>>
>>>
>>
>>It seems you would want near-real-time posting of those IP.
>>
>>Since you said that your 'target' is a MySQL DB, you might want to simply use
>>SQL to write them directly into the DB from within an acl.
>>
>>There are examples available in SQL greylisting code - not cut-and-paste usable,
>>but which you should be able to readily adapt to your needs.
>>
>>An Exim MACRO from Toleff Fog Heen is illustrative of the 'INSERT' code concept:
>>
>>GRAYLIST_ADD = INSERT INTO relaytofrom (relay_ip, from_domain) \
>> VALUES ( '${quote_mysql:$sender_host_address}', \
>> '${quote_mysql:$sender_address_domain}')
>>
>>One might add timestamps and an autoincrementing 'serial' field, then a trigger
>>on the count if MySQL has triggers Else PostgreSQL sells for the same price, and
>>does have.
>>
>>Note that 'read' privileges are not enough, so make sure that any other SQL code
>>is resistant to exploits that could modify the DB improperly.
>>
>>I suspect this would run faster if you used something simpler than an SQL DB.
>>
>>
>>
>
>
> Thanks Bill,
>
> I have that now - but what I want to do is give other people a simple
> way to send me IP addresses in real time. I dont want to give the direct
> access to my database and provide them with passwords and query strings.
> What I want to do is to have them do something simple like write a
> string to a port and I'll handle the processing on my end with something
> that listens on that port, gets the string, and runs the MySQL on my end.
OK - 'manual' input, then.
Opening a port might invite a DoS.
A well-crafted form on a Web-page might be OK.
Having them 'forward' the entire message to a dedicated address might be better,
as you could vet it for accuracy, AND get more than just the IP out of it.
>
> I have this new system working for me and I want to make it public. But
> to do that I need to make it easy for people to send me their data.
I would be careful with 'public' there.
Not everyone is equally qualified to even ID the correct IP from whence the
problem has emanated - or if it is IP-persistent (think sporadic zombification
of communities of WinBoxen on DHCP) - or if blocking an IP used
once-in-a-great-while does more good than harm.
Look at some of the contentious junk that has found it way into rfc-ignorant.
For example, listing the entire .de .tld WHOIS as broken because it needs proper
CLI tails to craft a whois inquiry when telnet'ed into - despite the fact that
it DOES respond correctly to a proper 'whois' client. Go figure.
This new tool of yours will probably only retain 'credibility' if you are very
strict about what you allow into it.
For the near-term, multiple-acl tests and near-real-time count incrementing on
servers you control, can analyze and tune, is probably where that works best.
A razor-style sharing comes later, IMNSHO.
> I
> think I have the server side of it working. Still testing. So what I
> need now is an easy way for Exim to open a port and send a string to it.
> Right now the best I have is running netcat (nc) but would like
> something cleaner.
Have a look at the ways you can tune 'checkservice', then. A template that reads
counter(s) or files published via http might be useful.
Exim can append more (or LESS) than just entire messages to arbitrary files, not
just to the default logs.
Bill
