nobaloney
NoBaloney Internet Svcs - In Memoriam †
Just what did you install, Titam?Titam said:I installed it, and now i have something strange.
demime doesn't appear anywhere in the SpamBlocker exim.conf file.
Jeff
Just what did you install, Titam?Titam said:I installed it, and now i have something strange.
This looks quite good. I think you'd be better off putting it in a firewalling script (see APF/BFD for examples on how to do it) because firewall blocking is a lot more efficient than exim-based blocking. And the advantage is that you can clear the file with the same mechanism you use to clear BFD.OxnardMontalvo said:Here's a script I found on-line and implemented. It's designed to combat dictionary attacks. It does not directly modify your firewall script but it would be easy to make it do so if you wanted to. Personally, I liked this solution better.
I hope you don't mind me making a few comments:It's a simple perl script that builds a text file of IP addresses. I've modified the SpamBlocker exim.conf file to check that file before allowing connections. Basically, the way it works is after 3 failed email addresses in a single connection, it shuts down the connection and adds the IP address to the text file. Before accepting any emails, the IP is checked against this file and rejected if found.
Any unix/linux purist will tell you to never put executable code in your /etc directory. In fact many of us will mount /etc as it's own partition, non-executable. Variable files (files that may change) should be put under /var, and local files (files which are not part of the base OS distribution) should probably be put under local, so I'd put this kind of file under /var/local.1: Put dictscan.pl in your /etc dir. make sure mail owns it and can execute it.
This is probably more personal than anything else but I'd like to see hosts =!+relay_hosts instead of !hosts=+relay_hosts (and similarly for the rest of the conditions) as that's the way the rest of the conditions are written.hosts = /etc/exim_deny
!hosts = +relay_hosts
!authenticated = *
delay = 150s
log_message = Blocked because of dictionary scan.
jlasman said:This looks quite good. I think you'd be better off putting it in a firewalling script (see APF/BFD for examples on how to do it) because firewall blocking is a lot more efficient than exim-based blocking. And the advantage is that you can clear the file with the same mechanism you use to clear BFD.
I hope you don't mind me making a few comments:
Yep and the guy who wrote this should be horse-whipped with me. I didn't think of /var but you are right, that's a better place for it. I was going to move it to /etc/virtual or /etc/mail.Any unix/linux purist will tell you to never put executable code in your /etc directory. In fact many of us will mount /etc as it's own partition, non-executable. Variable files (files that may change) should be put under /var, and local files (files which are not part of the base OS distribution) should probably be put under local, so I'd put this kind of file under /var/local.
Yes, that need to be cleaned up and standardized like the other block messages. I'm in the process of writing my /unblockme.php and when I finish with that my plan was to clean it up and make it look like the other blocks.Additionally in my opinion the log file message and the error message should be the same, to help you find something in the log file, if the need arises, from email headers someone has sent back to you.
OxnardMontalvo said:I thought about this and am still considering it for the same reason you pointed out. However, I want some mechanism that automatically unblocks an IP after 24 hrs. I'm thinking of modifying the script to block the IP and immediately issue an AT command to unblock it in 24 hrs. That way it's fire and forget.
You are just way to freakin polite.
Yep and the guy who wrote this should be horse-whipped with me. I didn't think of /var but you are right, that's a better place for it. I was going to move it to /etc/virtual or /etc/mail.
Yes, that need to be cleaned up and standardized like the other block messages. I'm in the process of writing my /unblockme.php and when I finish with that my plan was to clean it up and make it look like the other blocks.
=C=
jlasman said:This looks quite good. I think you'd be better off putting it in a firewalling script (see APF/BFD for examples on how to do it) because firewall blocking is a lot more efficient than exim-based blocking. And the advantage is that you can clear the file with the same mechanism you use to clear BFD.
hostpc.com said:
I can't even imagine the time it would take APF or KISS to parse that log every time it was updated.
jlasman said:Exim won't perform as well as firewalling.
Firewalling might be harder to set up and manage, but it's worth it in the long run.
Jeff