On Sun, Feb 13, 2011 at 11:03:51PM +0100, Moritz Wilhelmy wrote: > Hi, Hi,
> On Mon, Feb 14, 2011 at 10:49:49AM +1300, Jim Cheetham wrote: > > On 14/02/11 06:59, Moritz Wilhelmy wrote: > > > Just a stupid idea, but you could make exim append tcp_wrappers rules to > > > /etc/hosts.deny or whereever it's located after a failed relay attempt? > > > (in > > > case you use tcp_wrappers, that is) > > > > Not a good idea to change Exim like that. > Actually, I believe it doesn't require to "change" the exim code for that. You > just need to append to a file, which I believe, exim already supports. Exim > already knows where the relay attempt came from, and tcp_wrappers support > include-directives (according to hosts_access(5), it can include files), so > including a /var/run/exim/hosts.deny from within the global config would be > possible as well, if you don't want to give exim write permissions on the > global tcp_wrapper configuration file(s). > > Any objections? I think this should be done at iptables level. > > There are plenty of third-party apps like Fail2Ban and Denyhosts that > > can be configured to read through your logfiles looking for attackers, > > and then do any tcpwrappers/firewall configuration that you like. > Denyhost only supports failed SSH logins, I think. > Can't tell anything about fail2ban, but why run another daemon if exim is > sufficient? Especially denyhosts (which I run) is very resource hungry in my > experience. Since libnetfilter_xtables and nftables are still in development, it would be hard to interface directly to iptables (libiptc seems to abandoned), so I think you could use ipset for simple IP-based blocking. At least this is what I'm going to try. > Best regards, > > Moritz Regards, Matthias-Christian -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
