Re: blocking 465 connections to mail server for specific IP address without using fail2ban
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The script needs more work it is not exim4-exploiters, it is for repeated failed logins. As it is now, it will treat any single failure as one to ban and that is only going to cause trouble. Although users should be logged in normally and will likely have passwords saved in their clients so when they try to send emails, they can only do so as authenticated and they will be properly authenticated every time unless they are manually logging in to simple do an smtp auth send so it might not be so bad, I may just need to rename the ipsets, but I'll think about it some more. Anyway, it's a good start. Cheers A. -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQ6lgwAKCRCoFmvLt+/i +0d1AP9tNbfrC62Ts/dWoDFaGH18qa05IvvUyiZnIb82zZtN4gEAoKNToikHpnaW DQuxWFxLjruS3NWgMIKv/H3xiXZsqRE= =JJ18 -END PGP SIGNATURE-
Re: blocking 465 connections to mail server for specific IP address without using fail2ban
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Slightly improved shell script, uses iprange once and conflates both
lists together.
#!/bin/bash
declare -a tcp25_set tcp465_set tcp_25_465_set
banned_ports_list=25,465,993,995
logwatch_file=/var/log/exim4/logwatch-email-20190622a.eml
# NB iprange will cleanup and uniquely sort the ip addresses list
# - this /may/ also conflate plain ip entries to CIDR entries
tcp25_set=(
$(
grep 'login_saslauthd authenticator failed for.*:25:' \
"${logwatch_file}" | sed \
-e 's/^.*login_saslauthd authenticator failed for //' \
-e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|sort -u
)
)
tcp465_set=(
$(
grep 'login_saslauthd authenticator failed for.*:465:' \
"${logwatch_file}" | sed \
-e 's/^.*login_saslauthd authenticator failed for //' \
-e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|sort -u
)
)
# create sorted & unique ip set tcp_25_465_set
tcp_25_465_set=(
$(
(
printf "%s\n" "${tcp25_set[@]}"
printf "%s\n" "${tcp465_set[@]}"
) |iprange
)
)
# delete iptables rules if they exist
iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-net src -j DROP
iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-ip src -j DROP
# destroy ipset bad-exim4-exploiters lists (if they exist)
ipset destroy bad-exim4-exploiters-net
ipset destroy bad-exim4-exploiters-ip
# create new ipset lists
ipset create bad-exim4-exploiters-net hash:net
ipset create bad-exim4-exploiters-ip hash:ip
# add entries for ipset bad-exim4-exploiters lists
for badip in "${tcp_25_465_set[@]}"
do
# only add entries if they are not already existing
if [[ -z "${badip##*\/*}" ]]
then
ipset add bad-exim4-exploiters-net "${badip}" -exist
else
ipset add bad-exim4-exploiters-ip "${badip}" -exist
fi
done
# add iptables rules to use ipsets
iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-net src -j DROP
iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-ip src -j DROP
-BEGIN PGP SIGNATURE-
iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQ49YAAKCRCoFmvLt+/i
+2PwAP0eneL250uCwwz2Mb1yZlgNJjwWIrzgWXirvSCthM8JJAD+Kzioc/WgCtnA
YG89Zzv/AxgiLPlJJZ3INQ3eGLlFKiQ=
=vGhQ
-END PGP SIGNATURE-
Re: blocking 465 connections to mail server for specific IP address without using fail2ban
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
On 22/6/19 6:24 pm, john doe wrote:
>> I've blacklisted quite a number of IP addresses and CIDR blocks
>> from delivering email to my server with entries in the
>> /etc/exim4/local_host_blacklist file.
>>
>> Is there any config file that I can easily use to block 465
>> login attempts from bad IP addresses and CIDR blocks?
>>
>> If there is no simple config file, what can I do without
>> resorting to use of fail2ban so that I can use a curated list of
>> blocked IP addresses. I'm not sure I want to use iptables for
>> this either.
>>
>> I /may/ end up blocking the IPs at the firewall (OPN Sense) level
>> yet.
>
> Instead of files, I probably would use 'ipset', that way, you can
> use the ipset in exim iptables ...
Thanks!
Okay this might help someone else, here are the details of my
solution, it requires the iprange package and a logwatch email to do
the job.
Cheers
A.
References:
http://ipset.netfilter.org/
https://wiki.archlinux.org/index.php/Ipset
https://unix.stackexchange.com/questions/67738/ip-set-to-block-access-to
- -exim-and-dovecot
other possible useful references:
https://firewalld.org/documentation/
#!/bin/bash
declare -a tcp25_set tcp465_set
banned_ports_list=25,465,993,995
logwatch_file=/var/log/exim4/logwatch-email-20190622a.eml
# NB iprange will cleanup and uniquely sort the ip addresses list
# - this /may/ also conflate plain ip entries to CIDR entries
tcp25_set=(
$(
grep 'login_saslauthd authenticator failed for.*:25:' \
"${logwatch_file}" | sed \
-e 's/^.*login_saslauthd authenticator failed for //' \
-e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|iprange
)
)
tcp465_set=(
$(
grep 'login_saslauthd authenticator failed for.*:465:' \
"${logwatch_file}" | sed \
-e 's/^.*login_saslauthd authenticator failed for //' \
-e 's/^(.*) //' -e 's/:.*$//'|tr -d '\[\]'|iprange
)
)
# delete iptables rules if they exist
iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-net src -j DROP
iptables -D INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-ip src -j DROP
# destroy ipset bad-exim4-exploiters lists (if they exist)
ipset destroy bad-exim4-exploiters-net
ipset destroy bad-exim4-exploiters-ip
# create new ipset lists
ipset create bad-exim4-exploiters-net hash:net
ipset create bad-exim4-exploiters-ip hash:ip
# add entries for ipset bad-exim4-exploiters lists
for badip in "${tcp25_set[@]}" "${tcp465_set[@]}"
do
# only add entries if they are not already existing
if [[ -z "${badip##*\/*}" ]]
then
ipset add bad-exim4-exploiters-net "${badip}" -exist
else
ipset add bad-exim4-exploiters-ip "${badip}" -exist
fi
done
# add iptables rules to use ipsets
iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-net src -j DROP
iptables -I INPUT -p tcp -m multiport --dports "${banned_ports_list}" \
-m set --match-set bad-exim4-exploiters-ip src -j DROP
-BEGIN PGP SIGNATURE-
iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQ44bQAKCRCoFmvLt+/i
+091AP0RiZcP/+O2R8tzXZ0OwpSiRjmUDYGbJXo47nkJDD2WUQD/W8AZR/DRQuon
OY7rgvU6fPEz3M7mdWUppSxSqaiLHUc=
=8AnG
-END PGP SIGNATURE-
Re: blocking 465 connections to mail server for specific IP address without using fail2ban
> Hi, > > I've blacklisted quite a number of IP addresses and CIDR blocks from > delivering email to my server with entries in the > /etc/exim4/local_host_blacklist file. > > Is there any config file that I can easily use to block 465 login > attempts from bad IP addresses and CIDR blocks? > > If there is no simple config file, what can I do without resorting to > use of fail2ban so that I can use a curated list of blocked IP > addresses. I'm not sure I want to use iptables for this either. > > I /may/ end up blocking the IPs at the firewall (OPN Sense) level yet. > > Instead of files, I probably would use 'ipset', that way, you can use the ipset in exim iptables ... -- John Doe
blocking 465 connections to mail server for specific IP address without using fail2ban
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I've blacklisted quite a number of IP addresses and CIDR blocks from delivering email to my server with entries in the /etc/exim4/local_host_blacklist file. Is there any config file that I can easily use to block 465 login attempts from bad IP addresses and CIDR blocks? If there is no simple config file, what can I do without resorting to use of fail2ban so that I can use a curated list of blocked IP addresses. I'm not sure I want to use iptables for this either. I /may/ end up blocking the IPs at the firewall (OPN Sense) level yet. - -- Kind Regards AndrewM Andrew McGlashan -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXQ3XpwAKCRCoFmvLt+/i +1m2AQC3UI8NrRBM/Z1zoRWA4i6zQbyLbt0dGRsILlPHTTQp+wEAjN4S3rSewR3G BdfMh0Uzir8r4IRtMuLKPAQ42mAEAHc= =T3vu -END PGP SIGNATURE-
