On 4/29/2016 4:58 PM, Ted Cooper wrote:
> On 30/04/16 09:38, Phillip Carroll wrote:
>> Thanks for the suggestion.
>>
>> I looked at fail2ban some time back as something I might run on my site,
>> but ultimately decided against. If I understand correctly, that utility
>> rummages through various logs looking for problems and automatically
>> applies solutions. Seems a rather roundabout way of dealing with my
>> issue, whose parameters are already well known, and exim/smtp-specific.
>> I had in mind more of a rifle approach rather than a hand grenade.
>> (sorry for the violent metaphors)
>>
>> But, I am always somewhat leery of AI approaches to server management.
>> However, maybe I have the wrong impression of fail2ban.
>
> It's not so much AI, or automatic. You have to turn on exactly which
> tests and actions happen - filters (regex) & actions. In the case of the
> firewall ban, it only lasts as long as configured. The actions can be
> anything so you can also/instead notify yourself when someone is banned.
>
> eg. I firewall anyone for 60 minutes who
> - uses AUTH when not advertised (exim log message)
> - fails to use a valid username after X attempts (exim log message)
> - can't get their password correct after X attempts (exim log message)
>
>
Thanks for the clarification.
Your description caused me to investigate how I might instead use the
firewall I am already running on the server, namely csf. I have been
running csf on a succession of servers for quite a number of years and
find it totally reliable. It acts as a front end to iptables and, as
exim is frequently referred to as the "Swiss Army Knife" of MTAs, I
consider csf the Swiss Army Knife of linux firewalls. It turns out that
csf, in addition to its ability to run as a daemon, can be called using
quite a number of command line options that execute immediately and
return.
In particular, the command:
csf -td {ip} 1h -p 25
instantly updates iptables to deny {ip} for one hour, inbound on port
25. (If the port is not specified it defaults to all ports.) The time
argument can optionally be suffixed with h, d, or m, but if no suffix
follows the numeric part it defaults to seconds.
This looks like the perfect solution for me. It has the virtue of
putting the logic precisely where I want it, namely in exim.conf. I
don't have to rely on some tricky pcre (in a separate file in a separate
location) that may possibly go astray if I modify a log message. And it
does exactly what I want at exactly the right time.
All I need to do now is figure out which acl to use and the syntax to
test for the AUTH fail, call the csf command, and log the action.
Thanks again for the clarification on fail2ban. And hearty thanks also
to all who answered with advice.
Phil Carroll
