Quoting Phillip Carroll (postmaster@???):
> Any help appreciated (including better ideas).
Use iptables & ipset if you want to block the IP-space of entire AS or CCs.
If you 'just don't care' for traffic from large amounts of IP-space you
dont want Exim to deal with that. Exim was built to deal with email,
not blocking/rejecting connections. ;)
# ipset create CC_CN hash:net counters
# ipset add CC_CN w.x.y.z/vv
repeat for all of .CN's IP-space
# iptables -I INPUT -m set --match-set CC_CN src -j DROP
optionally add -p tcp --dport 25...
You can tell fail2ban to not use iptables to block connections but
instead use ipset. I personally use the 'hit once, be blocked for ever'
approach and have 'unban_action' set to '/bin/true'. There's roughly 13k
IPs in my fail2ban ipset. ;-)
Add some automation to this mix and you get:
[root@vm:~] # update-ipsets
Updating set as15975, type as, data 15975 ... no change in set
Updating set as16276, type as, data 16276 ... no change in set
Updating set as33258, type as, data 33258 ... no change in set
Updating set as39435, type as, data 39435 ... no change in set
Updating set as4320, type as, data 4320 ... no change in set
Updating set as63857, type as, data 63857 ... no change in set
Updating set ccCN, type cc, data CN ... changes were detected
Updating set ccHK, type cc, data HK ... changes were detected
Reload FW
Loading ipset AS_15975
Loading ipset AS_16276
Loading ipset AS_33258
Loading ipset AS_39435
Loading ipset AS_4320
Loading ipset AS_63857
Loading ipset CC_CN
Loading ipset CC_HK
Saving state of current fail2ban ipset.
Loading ipset fail2ban
Loading ipset local_filter
Done.
Add some graphs and
https://8n1.org/11176/7a2c !
But this is getting off-topic rather quick. :)
Sorry for that.
Regards,
-Sndr.
--
| The world is so full of these wonderful things,
| i'm sure we should all be as happy as kings.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2