On 22.06.2014 20:48, Always Learning wrote:
On Sun, 2014-06-22 at 18:41 -0700, Kaz Kylheku wrote:
I'm scanning the textual logs themselves in real-time to additionally
ban IP addresses from connecting.
I banned Apache IP connections in real time, using a PHP routine in
Apache, and invoking sudo and iptables.
I'm sure using sudo and a IPtables command you can do the same from
inside Exim using something like .....
warn message = ${run{SHELL -c " .......... \
$sender_host_address ?"}}
I have a set up which has certain features, which would
require the above command to be more than some call to
iptables.
* It shares common code among processing
of intruder reports from multiple services, such as
Apache, Exim and SSH.
* It can clear the bans and "re-play" an entire log
to re-create them. So for instance on reboot, the bans
which had been in effect prior to the reboot are
correctly re-instanted, including the correct times
when bans should be lifted. So the log monitoring
processes do not have to persist any additional state
in the filesystem; the logs are enough.
* It has soft rules which only ban an IP address after multiple
infractions within a period of time or according to
arbitrary scoring rules, and bans IP addresses only for
certain periods of time rather than permanently.
The second feature requires the processing of logs.
Intruder alerts dispatched directly from the application's
processing hooks cannot be replayed, so the log
monitor has to persist info about bans.
Another thing is that Exim can reject a message in
numerous configuration places for numerous reasons.
It's not desirable to add a hook in every deny block.
I tried fail2ban, by the way, it but it was too
complicated to set up and administer, and more so
to customize. I rolled together a
custom solution that works better for me.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
