Re: [exim] Stopping Bruteforceattacks

On Wednesday, July 25, 2012 04:44:32, Mihamina Rakotomandimby wrote:
> On 07/25/2012 11:36 AM, Cyborg wrote:
> > Not that i can't write a perl script checking the logs for it, but an
> > inbuild solution would be great.
>
> An inbuild solution would, anyway, trigger Exim and at least at the very
> beginning of your experimentation, you'll have to log your rejects.
>
> You'll then have a huge log anyway.
>
> Depending on your choice:
> - filter at IP level
> - filter at application level
> you'll have (I guess) several solution.
>
> If me, I'd filter at IP level, based on some reject log information.
> That's the job of fail2ban, but I dont know if it parses Exim logs.

By default fail2ban doesn't scan Exim logs, but what logs are scanned is
customizable; for instance something like the following added to fail2ban's
jail.conf:

-----------------------

#
# Exim4 email MTA
#

[exim4]

enabled = true
port = smtp
filter = exim4
logpath = /var/log/exim4/mainlog
bantime = 28800
maxretry = 3

-----------------------

and the filter file goes in /filter.d. It's fairly admin-friendly, IMHO.

What I don't understand about this particular situation is that the IP address
of the attacker is in the RFC 1918 private IP address range (192.168.x.x)
which would make it seem like the attacker is on the local LAN (or via VPN).
That seems like in addition to adding fail2ban, you'd want to find the
offending box and take it offline for antivirus scanning (if possible) because
the "attacker" is probably malware.

Good luck tracking it down.

-- Chris

--
Chris Knadle
Chris.Knadle@???