dynamic blacklisting with exim4 & fail2ban
this is a short description about how to setup fail2ban to dynamically block IP addresses based on patterns found in exim's mainlog. the idea is to match against recipient addresses that are used by spammers & hereby indicate that we don't want to receive mail from that machine. (& also against broken EHLO while we're there.)
/etc/fail2ban/jail.local
add the new jail (adjust values to your preferences):
[exim-reject] enabled = true filter = exim-reject port = smtp action = iptables[name=exim-reject,port=smtp,protocol=tcp] logpath = /var/log/exim4/mainlog bantime = 84600 maxretry = 2
/ect/fail2ban/filter.d/exim-reject.conf
create the filter. this is the interesting part, here we set the pattern to be matched against. needs to be adjusted, obviously (this is a python regexp):
[Definition]
addresses = foo|bar|baz\.doing
failregex = \[<HOST>\] .*> rejected RCPT <(?:%(addresses)s)@example.org>: Unrouteable address
rejected EHLO from .*\[<HOST>\]: syntactically invalid argument\(s\): \(no argument given\)
ignoreregex =
gregor, 2013-04-02
All material on this blog — unless stated otherwise — is © gregor herrmann, and is licensed under the Creative Commons Attribution-Share Alike 3.0 Austria License.