No I didn't implement the cron job. I thought I'd let it run for a week and see what happened, since they said to set up a cron for like once a week. I think I need to run it once a day. Thanks for your reply, I was about to implement an RBL.. but If I do implement an RBL so that it runs after the dictionary attack where would I put it?
Personally, I'd run the CRON job hourly. As for the RBL, which method are you using (do you have a post/url that you're looking at using)?
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
I set it up to run hourly, well see how that goes...
I don't have any RBL set up, I'm not sure where or what exactly to add in the Exim Configuration Editor. I tried setting up an RBL before, but removed it because all mail would fail.. I'm sure I did something wrong. I haven't been able to find a tutorial as straight forward as this dictionary attack site.. which is the only modification I've done to the exim config.
One way we countered dictionary attack is by denying message if it contains specific subject.
For example, dictionary attacks bouncing back from hotmail will say:
delivery failed or something like that
yahoo is another message. It had served us well and didn't interrupt other users by blocking legit IP addresses.
I'll check into that. After setting up the hourly cron job the exim_deny list is around 1200 IP's. Much less than 100,000. The load is averaging 0.47, waaaay better.. so far.
Is the exim_deny.pl script when executed via a cron, supposed to purge the exim_deny file?
Thanks
Mike
Hi Mike,
Yes it does, but it doesn't simply empty it out. It clears down the entries from before the CRON interval. So, the very first time it runs nothing will happen. An hour later it will clear down all entries older than an hour and so on.
If you just want to empty it out yourself, you can either run the script directly yourself a few times or simply:
cat /dev/null > /etc/exim_deny
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
See here: http://forums.ev1servers.net/showthr...t=rblblacklistOriginally Posted by pphillips
Works well, at least for me
And BTW Chirpy I need to also add a thanks to you for the dictionary rules, seriously it's been a life-saver! Thank you!
My pleasure
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Chirpy supplied the dictionary rules? Thanks a TON man! It's great when people contribute like that.
Just a quick update on my case. The exim_deny file has anywhere between 2200 and 3600 IP's in it at any given time. Seems to fluxuate between those numbers with the cron running hourly. Load is sometimes slightly higher than I'd like, but nothing to cause any problems, although I've got notices that Exim failed and is being restarted occasionally.
Dictionary attacks can be such a pain. One of our hosting customers domains got so bad at one point we had to tell them to either change their domain name or leave because it was causing problems for everyone els - it's the main reason I wrote this type of ACL for it.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
i just interesting why for some sender it is work but sfor some other it is not work? of course destination address same in both case.
PS. BTW. Where i can change value for blocking attacker ip address? Currently it is equal 4. So, after 4 tried, script block attacker ip.
Last edited by rustelekom; 12-01-2004 at 10:09 AM.
You just need to increase or decrease the 3 in this line of the ACL:
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
The number of hits is the number you specify +1.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Hello
We've got the dictionary tweak working great on one of our servers. The problem is now our RBL filtering does not work. Is there a way to have mail filtered through the dictionary ACL and then the RBL ACL?
Thanks
Mike
I can't think why it wouldn't work. I use MailScanner which obviates the need for inline RBL's.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
LinkBack URL
About LinkBacks
Reply With Quote