Re: [exim] ACL to early reject connections from hosts which …

Top Page
Delete this message
Reply to this message
Author: Sebastian Arcus
Date:  
To: exim-users
Subject: Re: [exim] ACL to early reject connections from hosts which keep on retrying after a permanent reject

On 25/01/18 10:59, Mike Brudenell via Exim-users wrote:
> Hi, Sebastian -
>
> You might want to try the *strict* ratelimit option instead of *leaky*…
>
> When I was setting something up here I seem to remember that using leaky
> ended up with the ratelimit value capping out at around its limit, meaning
> my defence measure never kicked in. Changing to strict meant the actual
> rate was recorded so clients that were hammering us were now detected and
> appropriate measures taken.
>
> (There's an explanation in the *Specification*
> <https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#ratoptfast>
> about
> leaky *v* strict, but I confess I don't find it terribly clear.)


Hi Mike - thank you for the suggestion. I did consider using strict
instead of leaky, but then I thought, if something doesn't go to plan,
or I misconfigure one of the ACL's, I could have the counters increasing
out of control and blocking IP addresses forever. I think using leaky,
but with a larger number of hits in the ACL's which are suppose to
increase the counters than in the ACL which does the blocking is a bit
safer, as the counter increases will stop at some point even if the
ACL's keeping on getting hit.


>
> Cheers,
> Mike B-)
>
> On 25 January 2018 at 10:24, Sebastian Arcus via Exim-users <
> exim-users@???> wrote:
>
>> On 25/01/18 09:20, Jeremy Harris wrote:
>>
>>> On 25/01/18 05:56, Sebastian Arcus via Exim-users wrote:
>>>
>>>>    I can see in the ratelimit db quite a few hosts
>>>> which have reached the 5/24h limit. But strangely in the Exim log I
>>>> can't see the appropriate reject messages - although I can see reject
>>>> messages for various other ACL's I've set up. Searching by the offending
>>>> IP addresses in the logs, I can see them retrying over and over again -
>>>> and yet my initial connect ACL never seems to kick in and deny the
>>>> connection. I can't really think of a reason for this.

>>>>
>>>
>>> Test with -bh and -d
>>>
>>>
>> I tried running a connection test on one of the IP addresses which show as
>> having reached 5.0 in the ratelimit database, and I get:
>>
>> ratelimit computed rate 4.6
>>
>> I suppose this is because some time has passed since their last connection
>> - and I think that's why it doesn't work as expected. I think I need to
>> have the first ACL - on connect, which is read-only in my case - check for
>> 5, but the others, check for a higher number. It seems that the ratelimit
>> in other ACL's increase the counter to 5, but then, by the time the client
>> connects again, the counter in the db is just below 5 (for example 4.9) -
>> the ratelimit condition in the connect ACL is never true - but at the same
>> time, the later ACL's which are supposed to increase the counter, don't do
>> it any more, as it would take it past 5.0. I will try something like below,
>> to see if it works:
>>
>> acl_check_connect:
>>
>> drop  message   = Temporary ban - too many retries
>>        ratelimit = 5 / 24h / per_conn / readonly

>>
>>
>> acl_check_helo:
>>
>> deny  message    = "Bad HELO (impersonates our host)"
>>        condition  = ${if match{$sender_helo_name}{$primary_hostname}}
>>        !ratelimit = 10 / 24h / per_conn / leaky

>>
>> acl_check_rcpt:
>>
>> deny  message    = Relay is not permitted
>>        !domains   = +local_domains : +relay_to_domains
>>        !ratelimit = 10 / 24h / per_conn / leaky

>>
>>
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>>
>
>
>