Luca Bertoncello wrote:
> Hi, list!
>
> I'm trying to write an automatically procedure to add an IP to a blacklist if
> it tries to authenticate itself (failing!) too much.
>
> Unfortunately, I can't do it from Exim, because there is no ACL called after
> an
> authentication failure.
>
> Now I had the idea to log the authentication failures to SysLog and then to
> bind a program on the SysLog to manage these entries.
>
> Is it possible to log JUST the authentication failures to the SysLog (too!)
> and
> not the other entries?
> How?
>
> P.S.: of course, if you have a better idea to solve my problem, please tell
> me!
> :)
Here's something I'm throwing into my config that uses my "used to be
just greylisting but now it does all sorts of stuff" daemon. It's just a
.... *shakes head in shame* PHP daemon that listens on a UNIX socket and
does stuff for me.
This only works if they attempt to authenticate more than 3 times though
.. and I haven't tested to see what happens when they authenticate
correctly on the 3rd attempt ;) It's not really aimed at actually
annoying real users, but more for the bots that sit there and try to
authenticate 300 times in a minute then are never seen again.
###########################
# ** AUTH ACL
acl_check_auth:
# Keep track of the number of times this has been attempted and
firewall them out for 10 min
# if they are a repeat offender
drop message = Too many AUTH attempts
condition = ${if >{$acl_c_authcount}{2}}
continue = ${readsocket{GLSOCK}{multi-auth-fail
$sender_host_address}{20s}{ }{SOCKERR}}
accept set acl_c_authcount = ${eval:$acl_c_authcount + 1}
So far as I can tell, the creation and tear down of the socket plus all
the work my daemon does, is fast enough not to cause any issues but it
hasn't been taxed very much. Running a program with ${run to do almost
the same thing was causing multiple "process was killed with signal 9" crap.
Of course, this depends on something listening on a socket and doing the
work, but sounds like you are going to write something anyway
--
The Exim Manual
http://www.exim.org/docs.html
http://docs.exim.org/current/
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
