Exim4 blacklists seemingly not working [Resolved]


#21

Correction on my previous posting… IPv6 addresses need to be wrapped in double quotes, and not single quotes as I said.


#22

I have now confirmed that dropping IPv6 addresses into /etc/symbiosis/firewall/blacklist.d as filenames in the normal format of an IPv6 address, but with /64 on the end to signify a single IP.

The file needs to be created as previously noted by replacing the / (slash) with a | (pipe), however, it must be noted that you have to escape the pipe when creating the file.

Proof it works:

 Feb 12 10:26:18 account snoopy[26401]: [uid:0 sid:492 tty:(none) cwd:/ filename:/sbin/ip6tables]: /sbin/ip6tables -A blacklist --src 240a:618b:0:d1::/64 -j DROP

Oh hang on, unless that’s just me adding the rule… But no! It’s dated today and I added that rule yesterday… but scrolling up a bit revealed the truth. It’s iptables save and ip6tables save, was wondering why I had them all hitting at the same time. So, no in the end this is proof of nothing other than the rule successfully being added to ip6tables rules. Whether it actually works or not, hasn’t actually been proven, but looking at the rule, it certainly looks fine to me.


#23

At the time, I was unclear whether you were adding files to /etc/symbiosis/firewall/blacklist.d, or adding direct IP addresses into one of the Exim blacklist files. My comments refer to adding IPv6 addresses to the latter.


#24

Should work too, no problem having multiple options available, I haven’t even looked at the Exim blacklist files, but I’ll be sure to take a peek.


#25

Also if the file ends in .auto it’s likely to have been added by a patterns rule. If you place a file in the blacklist.d directory, iptables is updated pretty instantly I’ve found.

And it will rebuild its tables every 15 minutes, so the logs will show that happening.


#26

Oh it definitely shows it in the logs, over and over, everytime I touch a file into there the firewall is pretty much immediately updated, which ofc makes it difficult to c&p IP addresses when it’s scrolling by so fast. :smiley:

Cracked it though, just banning SSH attackers at the moment. Eventually I’ll move onto fail2ban but for now, if I can just reduce the hits per day a little, then maybe I’ll have time to introduce further changes.


#27

Try
tail -f logfile | less

or better

tail -f logfile | grep SSH | less

where SSH is something on the line you are looking for,

If you have a restricted set of people using SSH, then you can get sshd to listen on some other random port and switch to using that for access. Once it’s working, you can then ban access to port 22. This goes some way to just keeping the script kiddies out. You can always get in using the console if this goes wrong and you find yourself locked out.


#28

I’m on managed, so I’ve been advised by support that it’s not a great idea to move the port. I did do some usual SSH hardening, but that just locked support out of the server.

I’m live tailing the files, but I’m also watching for other stuff, I often grep too, but I’ve never tried grepping a live tail… Thanks for the tips.


Talking of zgrepping and grepping, here’s a quick bit of bash for those hunting down blacklisteds:

zgrep 'blacklisted by zen' /var/log/exim4/mainlog* | grep '2019-02-15' | wc -l

Will get you a blacklisted count for each day, very useful to see if you get anywhere near the Spamhaus daily limit (I don’t, thankfully).


#29

Just tor info., no daily counts but the rblinfo script born in Email defences; additional DNS RBL outputs this type of thing…

admin@vm1:/etc/exim4$ /srv/.all-sites/utils/rblinfo

   17 rbl services configured (non-spamhaus might 'tag')
   12 rbl services show log rejection messages

  service                         sites     rejections
--------------------------------------------------------
  zen.spamhaus.org                   31            693
  hostkarma.junkemailfilter.com      14             46
  all.s5h.net                        14             44
  b.barracudacentral.org             20             35
  all.spamrats.com                   13              8
  dbl.spamhaus.org                   20              6
  multi.uribl.com                    20              5
  truncate.gbudb.net                 20              5
  ubl.unsubscore.com                 16              5
  dnsbl.dronebl.org                  14              4
  all.bl.blocklist.de                16              1
  bl.spamcop.net                     16              1
  bl.mailspike.net                   18              0
  rhsbl.sorbs.net                    12              0
  dyna.spamrats.com                   5              0
  noptr.spamrats.com                  5              0
  dnsbl.sorbs.net                     1              0
  TOTAL                               -            853
--------------------------------------------------------
  spamassassin                       31             10
  clamav                             31             74
--------------------------------------------------------
  v20180729 : ~0.16s

It also counts ‘local’ rejections if /etc/exim/blacklist/by_sender exists.

At least one person managed to break it (blank output) but I never found out how.


#30

Definitely gonna have to play with that (Next week - before I break the server over the weekend again).

I looked in that thread a number of times and that script always added to my confusion, but now, you have eased that confusion.


#31

If you come back as @angrybanana I’ll delete it. :grinning:


#32

lol, easy now fella. :smiley:

Wouldn’t it be angrytomato or angryredpepper anyway?


#33

:slight_smile: Yes or some would say ‘angryblue’ but in my defence, I was being flippant.