Re: [exim] Logging to SysLog just some events

Top Page
This message is part of the following thread:
M-+\the complete thread tree sorted by date
M\MMAnshuman G at <-
MMMLuca Bertoncello at ->
Delete this message
Reply to this message
Author: Ted Cooper
Date:  
To: Luca Bertoncello, Exim Users ML
Subject: Re: [exim] Logging to SysLog just some events
Luca Bertoncello wrote:
> Hi, list!
>
> I'm trying to write an automatically procedure to add an IP to a blacklist if
> it tries to authenticate itself (failing!) too much.
>
> Unfortunately, I can't do it from Exim, because there is no ACL called after an
> authentication failure.
>
> Now I had the idea to log the authentication failures to SysLog and then to
> bind a program on the SysLog to manage these entries.
>
> Is it possible to log JUST the authentication failures to the SysLog (too!) and
> not the other entries?
> How?
>
> P.S.: of course, if you have a better idea to solve my problem, please tell me!
> :)

Here's something I'm throwing into my config that uses my "used to be
just greylisting but now it does all sorts of stuff" daemon. It's just a
.... *shakes head in shame* PHP daemon that listens on a UNIX socket and
does stuff for me.

This only works if they attempt to authenticate more than 3 times though
.. and I haven't tested to see what happens when they authenticate
correctly on the 3rd attempt ;) It's not really aimed at actually
annoying real users, but more for the bots that sit there and try to
authenticate 300 times in a minute then are never seen again.

###########################
# ** AUTH ACL 

acl_check_auth:
   # Keep track of the number of times this has been attempted and 
firewall them out for 10 min
   # if they are a repeat offender
   drop    message       = Too many AUTH attempts
           condition     = ${if >{$acl_c_authcount}{2}}
           continue      = ${readsocket{GLSOCK}{multi-auth-fail 
$sender_host_address}{20s}{ }{SOCKERR}}


accept set acl_c_authcount = ${eval:$acl_c_authcount + 1}


So far as I can tell, the creation and tear down of the socket plus all
the work my daemon does, is fast enough not to cause any issues but it
hasn't been taxed very much. Running a program with ${run to do almost
the same thing was causing multiple "process was killed with signal 9" crap.

Of course, this depends on something listening on a socket and doing the
work, but sounds like you are going to write something anyway

--
The Exim Manual
http://www.exim.org/docs.html
http://docs.exim.org/current/

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Logging to SysLog just some eventsRe: [exim] clamd: killed last night->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)