-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
On 22/6/19 6:24 pm, john doe wrote: >> I've blacklisted quite a number of IP addresses and CIDR blocks >> from delivering email to my server with entries in the >> /etc/exim4/local_host_blacklist file. >> >> Is there any config file that I can easily use to block 465 >> login attempts from bad IP addresses and CIDR blocks? >> >> If there is no simple config file, what can I do without >> resorting to use of fail2ban so that I can use a curated list of >> blocked IP addresses. I'm not sure I want to use iptables for >> this either. >> >> I /may/ end up blocking the IPs at the firewall (OPN Sense) level >> yet. > > Instead of files, I probably would use 'ipset', that way, you can > use the ipset in exim iptables ... Thanks! Okay this might help someone else, here are the details of my solution, it requires the iprange package and a logwatch email to do the job. Cheers A. References: http://ipset.netfilter.org/ https://wiki.archlinux.org/index.php/Ipset https://unix.stackexchange.com/questions/67738/ip-set-to-block-access-to - -exim-and-dovecot other possible useful references: https://firewalld.org/documentation/ #!/bin/bash declare -a tcp25_set tcp465_set banned_ports_list=25,465,993,995 logwatch_file=/var/log/exim4/logwatch-email-20190622a.eml # NB iprange will cleanup and uniquely sort the ip addresses list # - this /may/ also conflate plain ip entries to CIDR entries tcp25_set=( $( grep 'login_saslauthd authenticator failed for.*:25:' \ "${logwatch_file}" | sed \ -e 's/^.*login_saslauthd authenticator failed for //' \ -e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|iprange ) ) tcp465_set=( $( grep 'login_saslauthd authenticator failed for.*:465:' \ "${logwatch_file}" | sed \ -e 's/^.*login_saslauthd authenticator failed for //' \ -e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|iprange ) ) # delete iptables rules if they exist iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \ -m set --match-set bad-exim4-exploiters-net src -j DROP iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \ -m set --match-set bad-exim4-exploiters-ip src -j DROP # destroy ipset bad-exim4-exploiters lists (if they exist) ipset destroy bad-exim4-exploiters-net ipset destroy bad-exim4-exploiters-ip # create new ipset lists ipset create bad-exim4-exploiters-net hash:net ipset create bad-exim4-exploiters-ip hash:ip # add entries for ipset bad-exim4-exploiters lists for badip in "${tcp25_set[@]}" "${tcp465_set[@]}" do # only add entries if they are not already existing if [[ -z "${badip##*\/*}" ]] then ipset add bad-exim4-exploiters-net "${badip}" -exist else ipset add bad-exim4-exploiters-ip "${badip}" -exist fi done # add iptables rules to use ipsets iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \ -m set --match-set bad-exim4-exploiters-net src -j DROP iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \ -m set --match-set bad-exim4-exploiters-ip src -j DROP -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQ44bQAKCRCoFmvLt+/i +091AP0RiZcP/+O2R8tzXZ0OwpSiRjmUDYGbJXo47nkJDD2WUQD/W8AZR/DRQuon OY7rgvU6fPEz3M7mdWUppSxSqaiLHUc= =8AnG -----END PGP SIGNATURE-----