The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

bfd-0.6

Discussion in 'General Discussion' started by anup123, Feb 10, 2005.

  1. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    BFD-0.6 has rules for exim and pure-ftpd
    Does this mean that Dictionary Attack ACL can be removed from Exim?

    Anup
     
  2. picoyak

    picoyak Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    well it looks like BFD does only a basic check for dictionary attacks. and it gives them 20 chances by default. far too many IMO. but I understand why it is set so high, and in the end it's probably a good thing for those using Chirpy's dictionary ACL

    while it may work, I feel that Chirpy's dictionary ACL offers a much more useful set of functions - mainly clearing down the blocked ip list on a scheduled basis, whereas BFD will simply add that IP to deny_hosts.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Personally, I don't like the method used with BFD for the following reasons:

    1. If you get a lot of spam through dictionary attacks, then your iptables will become huge (since zombie PC's are usually used, so it's not uncommon to 10's of thousands of separate IP addresses coming in). This could cause serious overhead for all of your network traffic.

    2. It doesn't provide a regular method of purging, so innocent mistakes will be permanently blocked.

    3. It not only blocks port 25 access, but access to the whole server (pretty pointless if it's a spammer).

    4. You have no way to distinguish IP addresses blocked for RCPT failures and those added to your iptables forewall for any other misdemeanor, which makes 1. very diffuclt to script.

    So, I would recommend not using it and to continue with the dictionary attack which provides a method to clear down IP addresses regularly and only imposes a small overhead and only for mail.
     
  4. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    I am sure i missed on the auto purging since never reeally checked for updated features on Dictionary Attack ACL ever since i had it going.

    Fine what you say was there on my mind wrt complete blockage and had been carefully following the BFD mails. So in order to not use BFD's rule, would deleting rules/exim be fine?

    Thanks
    Anup
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, just delete the file. It simply picks up whatever files that you do have within the rules/ subdirectory of BFD.
     
  6. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Thanks. I just update the Dictionary Attack ACL and deleted the exim rule.
    If there could be something similar for high spam IP's like following:

    One IP starts sending high score SPAM mails (say i reject at 20+)
    Once more than 3/4/5 (configurable) are rejected then just like Dictionary Attack ACL, the IP is denied connection for 1 hour (or maybe less -- again configurable). This could perhaps reduce the load on SA. Just a thought, i could just be sounding wierd though.

    Thanks
    Anup
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, with the dictionary attack ACL in the place where I have indicated, emails from an identified source don't get anywhere near SA - the connection to the offending server is dropped before any of the email DATA hits the server for the duration that it is in /etc/exim_deny - if they re-offend after an hour, they'll be blocked again for another hour.
     
  8. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Agreed. Actually i meant following scenario:

    (1) IP is Not A Dictionary Attack IP.
    (2) It Sends Out High Scoring SPAM

    Recepient domain in question Has "Catchall" type of setup.

    With mail passing through (1), it gets rejected at (2) (20+ score) but after causing loads. Say this IP sent our "n" mails in short burst directed towards catcahll account type of setup.

    Now with such an IP have something similar to Dictionary Attack ACL to block this IP (High Spam Score) for configurable period of time.

    Thanks
    Anup
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Ah! I understand. Hmmm, that's got me thinking...

    All you'd need to do would be to append the offending IP address to /etc/exim_deny after doing the SA checks. Hmmm.
     
  10. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Yup. So that the same IP doesn't trigger SA again for the duration that it stays in exim_deny
    Idea is that with a heavy traffic on SA enabled server, there is more legitimate mail that can be pushed :)

    Thanks
    Anup
     
  11. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    The idea of exim_deny-ing mail sent from IPs where mail from the same IP was previously tagged as high scoring spam seems like the best idea I've heard of in a while.

    If anyone could suggest a way of doing this I'm sure a lot of people could benefit from it. I wish I knew how . . .
     
  12. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Jonnathan@Chirpy is the person who can do it (or perhaps alreay done it and waiting for tests to complete before releasing). Just waiting :)

    Anup
     
  13. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Yes, from the above I can almost hear the gears of Chirpy's brain working . . .
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's on my todo list ;)
     

Share This Page