What is the correct way to configure fail2ban for Exim?

P

photosho2021-10-11 10:32:29

linux

photosho, 2021-10-11 10:32:29

Someone conducts a Ddos attack on the server through Exim, picking up passwords. The log grows so that by the evening there are from 170,000 lines. In one of the neighboring topics, I was advised to install the "Fail2Ban" program to block the IP of intruders. This program has been standing for almost a week, but the logs still continue to grow. Tell me, maybe something is not configured correctly? The exim configuration is:

[exim]
filter = exim_auth
port = smtp,465,imap,submission
action = iptables-multiport[name=exim,port="25,465,587"]
maxretry = 2
logpath = /var/log/exim/main.log
enabled = true
backend=polling
bantime.increment = true
protocol = tcp
bantime = 6h
findtime = 10m

The "status exim" command returns "Currently banned: 74". Total banned for 6 days about 900.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

K

ky0, 2021-10-11
@ky0

What you call ddos is in fact almost certainly the standard activity of bots that touch services open to the entire Internet such as mailers, SSH, RDP, etc.
Since there are a lot of addresses, and they usually don’t hammer for a long time, your black list can fill endlessly.

A

Alexander Falaleev, 2021-10-11
@suffix_ixbt

You need to increase it:
findtime = 36000
And wait about a month until bantime.increment sends everyone to long-term bans.
PS
In the fail2ban logs, check if the "incremental" ban works:
[exim] Increase Ban 162.142.125.41 (5 # 16 days, 0:00:00 -> 2021-10-27 09:55:31)
Something like this should be.