Deny at connection at firewall instead of using exim ACL

[kiat]

Hello,

I have configure exim to reject mail after dictionary attack (Thank you to Chirpy who did a good job). and I also have RBL to reject email.

A while ago, I saw many rejected connections in log from the same IP. It looked like spammer try to send email even after the first connection was rejected. Sometimes, its almost hundred of rejected connections from the same IP in a few minutes. I think this might waste resource for exim to response to those connections but I don't know wheather it's a good idea to reject those IP Address at firewall level instead of using exim ACL.

Will this concept save CPU?

Kiat.

 

[ramprage]

I agree firewalling the offenders would be a benefit to the systems performance if IP X keeps hitting the server Y times.

The problem is that you'd have to flush the firewall rules every 24 hours to avoid blocking legitimate users.

I mean it could be done but it could be dropping a lot of your users if not done carefully.

EG: You could parse the /etc/exim_deny and add the ips to a firewall if you really wanted...
As for counting the IP counts from RBLs I'm not sure how that would be done

 

[RickG]

I've run into a similar issue. In exim_mainlog, I will see hundreds of entries from the same IP in a row where the "from" changes every 2 records -- as if they have figured out they will get blocked as a dictionary attack if they attempt more than 3 or 4 at a time.

Yes ... they will eventually stop on their own after all the rejects ... but when they've outsmarted the Dictionary Attack script, the only workaround I've found is to use BFD. I would rather write the IP to Chirpy's exim_deny file (and not to iptables) which gets purged hourly, but there does not seem to be any way to cut them off except via BFD and the exim rule file.

 

[chirpy]

I've posted a script somewhere on the forums in the past that takes the IP's in /etc/exim_deny and blocks them in APF if that's what you want to do. I would only recommend doing this if you know it's causing a performance hit without it as having lots of IP addresses automatically going into iptables is sure to make your server sluggish and ultimately unbootable. I would never recommend the BFD solution as I've seen this break servers within a few hours on servers that suffer badly from dictionary attacks.

 

[kiat]

After I have a test with my own script that modify from dictionary attack, I can have hundred lines in iptables in a few hours. However the script I have is not good enough to deal with add/remove IP in iptables. I think it might be better to modify your dictionary attack script to screen out IP if they got more than 4 errors together with dictionary attack rule. It is just an idea because it need to modify exim rule that I don't know how to make it work.

Kiat.

 

[jackie46]

Yes this is happening here too. They dont care if they get a connection denied after they get blocked. They just keep bomarding the box until they run out of fake from's. My suspicion is that they never see the blocks in the first place. I had on spammer doing this for about 2hrs last night until i finally blocked them manually otherwise they would still be doing it after 2hrs.

Where did you say that script was?