My firewall has now blocked 100,768 IP addresses from the namecheap.com spam botnet. These sleazebags have been spamming us 24x7 for over 5 years now. Not one single spam - NOT ONE - has been delivered to any of my users.
What a waste of internet bandwidth though. I wish ... bad things to happen to them.
DouglasFoster said:I had not planned to implement Fail2Ban, although I took a quick look at its website (https://www.fail2ban.org/) and I can see why it was useful for you.
My interest was focused on hacking Exim to do what UTM does not. I thought you said that you had implemented a Reverse DNS filtering mechanism, which I assumed that you implemented with Exim filters.
If I get hostile mail from "server7.malware4u.com", I want to block multiple servers based on the domain name, as well as blocking one server or one range based on IP address. This seems like an obvious requirement, requiring relatively little coding effort, so I am mystified why it is missing from UTM or any other commercial spam filter.
If you have a working regex that targets that domain, then blocking it is trivial, doesn't matter what the IP's are.
If I understand you, we have the same problem. I know the pattern of the namecheap spambots, so a regex expression to detect those domain names, then it tosses each IP into the IPSET database to be blocked.
Here's is an example from right now. Obvious spam coming in from "drama@dealrough.pro". Log file shows IP of 185.217.228.19.
My fail2ban action then blocks 185.217.228.0/24. Wash your hands and you are done dealing with that parasite.
Yes, it takes a lot of customizing to set up. Fail2ban is not friendly, but that's part of the fun for me.
Sure can... I dont use Fail2Ban on the UTM, but on a Centos webserver, I'm assuming the logs are similar.
So advice for anyone attempting to use Fail2Ban
First bit of advice... small steps, one at a time. Backup configs, Implement, watch, test, tweak - repeat
Second bit of advice - drinking beer while you tweak into the night is not advisable.
Whitelist your servers and your connection/admin IP!!! ( More than likely Sophos IP's for updates etc)
Activate the sshd filter - whitelist your admin ip's!
Watching the Fail2Ban log can be "fun" - No1 Tool - tail -f /etc/fail2ban/fail2ban.log
No2 tool is a testing process for checking logs against regex. You block the wrong stuff and you are screwed. eg Background updates, SSL updates / Server monitors or worse you lock yourself out
https://www.regextester.com/94338
This allows a dump of a log segment to test the regex.
Document and name your filters for easy id.
These are probably the most active filters I have created - Disclaimer - use at your own risk -
Test them before to see what they do!
# hashed out comments are recipes I have created and used at times
-------------------------
jail.local:
[dovecotCraigHack]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = /var/log/exim_rejectlog
maxretry = 1
File Filter "dovecotCraigHack.conf"
#\[\d+\] dovecot_(?:login|plain) authenticator failed (?:\S* )?(?:\(\S*\)|\S*)? (?:\(\S*\))? (\[\S+\])
#\[\d+\] dovecot_(?:login|plain) authenticator failed (?:\S* )?(?:\(\S*\)|\S*)? (?:\(\S*\))? (\[<HOST>\])
#\[\d+\](.*)(\[\S+\])(.*)(\[\S+\])(.*)The account or domain may not exist, they may be blacklisted, or missing the proper dns entries
#\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)The account or domain may not exist, they may be blacklisted, or missing the proper dns entries
#\[\d+\](.*)(\[\S+\])(.*)(\[\S+\])(.*)\:25 sender verify fail for(.*)\: No Such User Here\"
#\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25 sender verify fail for(.*)\: No Such User Here\"
#\[\d+\](.*)(\[\S+\])(.*)(\[\S+\])(.*)\:25\: 535 Incorrect authentication data
#\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25\: 535 Incorrect authentication data
[Definition]
failregex = \[\d+\] dovecot_(?:login|plain) authenticator failed (?:\S* )?(?:\(\S*\)|\S*)? (?:\(\S*\))? (\[<HOST>\])
\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)The account or domain may not exist, they may be blacklisted, or missing the proper dns entries
\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25 sender verify fail for(.*)\: No Such User Here\"
\[\d+\](.*)(\[<HOST>\])(.*)(\[\S+\])(.*)\:25\: 535 Incorrect authentication data
ignoreregex =
-------------------------
jail.local:
[eximCraigHack]
enabled = true
port = smtp,465,submission
logpath =/var/log/exim_mainlog
maxretry = 1
File Filter "eximCraigHack.conf"
#\[\d+\] SMTP connection from \[(<HOST>)\]
#\[\d+\] no MAIL in SMTP connection from \(\[(<HOST>)\]\)
[Definition]
failregex = \[\d+\] no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?(\[<HOST>\])
ignoreregex =
-------------------------
Regards
Craig
LMAO, Craig - "Second bit of advice - drinking beer while you tweak into the night is not advisable."
Thanks for your contributions here!
Cheers - Bob
vicegod said:[dovecotCraigHack]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = /var/log/exim_rejectlog
maxretry = 1
I started off blocking individual ports like that too, but then I thought why?
If you attack me, I block you completely. All ports. For a minimum of 2 years.
