block IP addresses right away

[sehh]

Currently, exim rejects an email if an IP address in the headers of the email is in an RBL (zen, spamcop).

How can we modify exim, to also check the originating IP address of the connection and to drop it right away, without even starting an SMTP conversation?

I've seen this feature in a few servers, once the connection is made at the TCPIP level, exim checks the IP address of the remote host with an RBL, if the IP is listed then exim drops the connection right away without any further communication.

This lowers the effects of spam on servers, high cpu usage, high memory usage, etc by running the entire communication with the spammer and scanning the email (with SA, ClamAV, etc).

Anyone knows how to do this?


PS:
once an IP is found not to be listed then everything else works as before, the headers of the email are still scanned and the IPs also checked against RBLs. So this part isn't affected, it remains the same.

[gupi]

you can use chirpy's excellent firewall and block IPs at connection time.
Install csf and read the instruction, you will find how to keep a list of banned IPs (not only for mail reasons)

[gupi]

what firewall do you use to protect your server ?

[sehh]

It seems that script can do the job, unfortunately i don't want to install any 3rd party scripts, i've already seen too many remote exploits in them (intentional or accidental).

Thats why i was looking for something that works in exim, maybe some simple configuration changes or something similar.

[gupi]

It seems that script can do the job, unfortunately i don't want to install any 3rd party scripts, i've already seen too many remote exploits in them (intentional or accidental).

Thats why i was looking for something that works in exim, maybe some simple configuration changes or something similar.

so, how do you protect your server?
what firewall do you use ?

[sehh]

iptables, i'm using CentOS 4.5.

i've created several scripts which automatically ban IP addresses, one of them listens for connections to unused ports, another scans logs (exim logs, cpanel logs, ssh logs, etc). Once one of my scripts needs to block an IP it executes iptables and adds a reject rule.

[gupi]

well, csf is (imho) just a good iptables wrapper.

- csf closes all ports but needed ones (yet you do not have to monitor connections to unused ports, as you state above)
- monitors the visiting IP against public blacklists (dshield, for instance), saving you great time and resources
- gives you freedom to use other personal lists (here you can quick add offending IPs)
- has a built-in scanner (lfd) that scans and blocks (permanent or temporarily) suspect IPs; the monitored resoureces are: ssh login attempts, pop3/imap/smtp login attempts, too-many-connections attempts, http auth attempts, mod_security errors and more

so, why should I develop several scripts, when this script is just what I need ?

my 2c

[sehh]

for two reasons:

1) i don't trust 3rd party scripts floating around the net. Already seen too many of them with intentional or accidental remote exploits (like XMLRPC, *nuke CMS's, joomla plugins, etc etc).

2) my scripts already do all the features you stated, except from blocking at connection time. Which is something i need for exim only (port 25).

[gupi]

1) i don't trust 3rd party scripts floating around the net. Already seen too many of them with intentional or accidental remote exploits (like XMLRPC, *nuke CMS's, joomla plugins, etc etc).

Exim is a 3rd party script floating around the net, how comes that you trust it ?

2) my scripts already do all the features you stated, except from blocking at connection time. Which is something i need for exim only (port 25).

csf is open; you can always re-create the desired scripts, based on it.

anyway, I do not want to start a flame, good luck in your decision.

[sehh]

I trust exim because it comes from a reputable team of developers, it has gone through code review and its not "a script floating around the net".

I may download csf and copy parts of the code that are relevant to me, thanks for the idea

Oh no worries, there is no flame, we are just debating our cases. Unfortunately, i've found too many remote exploits in "common" software that many people use, it was a great revelation which proves why bot nets are so big. At first i thought that they were mostly vulnerable Windoze computers used by people who don't know much about computers. Thats not the case anymore, indeed a bot net has a large number of those, but now their owners started adding exploits to known open source (and some closed source) applications.

I remember some time ago when one of my clients was hit by such an open source web application, i noticed the server sending large amounts of emails and traced it down to his gallery script. The author had coded a remote mailer, which worked by an HTTP POST request. The contents of the php array contained the email address to send the email and the body of the email.

I also checked other well known apps, some closed source. Some were clocked as screensavers for windoze, which the attackers spread via email. Another popular script is XMLPRC, when i first read the code it was obvious it was "remote exploit heaven", probably done on purpose. Of course the many developers that included it in their software (Wordpress, etc) patched it many many times but harm was already done.

Anyway, i'm blabbering at this point so i'll drop the subject and go back to blocking IP addresses.

[mpeacock]

I'm using Chirpy's firewall, but not to block IP addresses in smtp connects.

Intstead, I added a couple ACL rules found here: http://wiki.exim.org/SpamFiltering

Particularly, the HELO fixes allowed exim to drastically reduce the number of spam connects by dropping the SMTP connection as soon as it saw an IP address rather than a FQDN in the HELO line.

Here's what I added. I added these using the Advanced exim config editor in the ACL section immediately after the lines:

Code:

[% ACL_RATELIMIT_BLOCK %]

  accept  hosts = :

- - you're mileage may vary:

Code:

# The following are ACLs taken from http://wiki.exim.org/AclHeloTricks 
# Drop if HELO is an IP address

drop
    condition   = ${if isip{$sender_helo_name}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.3)


# HELO is neither FQDN nor address literal

drop
    # Required because "[IPv6:<address>]" will have no .s
    condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
    condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


drop
    condition   = ${if match{$sender_helo_name}{\N\.$\N}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


drop
    condition   = ${if match{$sender_helo_name}{\N\.\.\N}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


# Drop if impersonating our server

drop  
      condition = ${if match{$sender_helo_name}{$primary_hostname}}
      message   = REJECTED - Bad HELO - Host impersonating [$sender_helo_name]

Hope this helps.

Cheers, Michael

[brianoz]

Unfortunately, i've found too many remote exploits in "common" software that many people use, it was a great revelation which proves why bot nets are so big. At first i thought that they were mostly vulnerable Windoze computers used by people who don't know much about computers. Thats not the case anymore, indeed a bot net has a large number of those, but now their owners started adding exploits to known open source (and some closed source) applications.

So you don't run perl? Or Exim? or PHP? They're all developed by "third parties". In general, I agree with you, having found many exploitable scripts in user accounts over the years.

So the key issue isn't that they're a third party, the issue is that the author provably knows their stuff. Chirpy, the author of CSF, is recognized as a worldwide cpanel expert and CSF is kept maintained on a regular basis. Used on thousands of servers around the planet, it has taken over from APF as the standard firewall script on cpanel servers. Check it out, you'll find it's very thorough and robust. I've known Chirpy for 4 years or so and he knows his stuff (as a sysadmin for 25 years, I'm in a position to recognize competency!). Reimplement if you like, but it's a big waste of time in this case.

[Lyttek]

I'm even using CSF on a bunch of non-cpanel servers.... it's rock solid.


On the note of using his code:

3. SCOPE OF LICENCE

3.1 You shall not:

3.1.1 modify, adapt, merge, translate, decompile,
disassemble, or reverse engineer the Product, except as
permitted by law;

So, I'd ask before slurping the code....

[capoti]

Particularly, the HELO fixes allowed exim to drastically reduce the number of spam connects by dropping the SMTP connection as soon as it saw an IP address rather than a FQDN in the HELO line.

Here's what I added. I added these using the Advanced exim config editor in the ACL section immediately after the lines:

Code:

[% ACL_RATELIMIT_BLOCK %]

  accept  hosts = :

- - you're mileage may vary:

Code:

# The following are ACLs taken from http://wiki.exim.org/AclHeloTricks 
# Drop if HELO is an IP address

drop
    condition   = ${if isip{$sender_helo_name}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.3)


# HELO is neither FQDN nor address literal

drop
    # Required because "[IPv6:<address>]" will have no .s
    condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
    condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


drop
    condition   = ${if match{$sender_helo_name}{\N\.$\N}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


drop
    condition   = ${if match{$sender_helo_name}{\N\.\.\N}}
    message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)


# Drop if impersonating our server

drop  
      condition = ${if match{$sender_helo_name}{$primary_hostname}}
      message   = REJECTED - Bad HELO - Host impersonating [$sender_helo_name]

I can't send email when I installed these rules on cpanle 11. any idea?