I wanted to check on IP addresses that were connecting with my exim mailserver an inordinately large number of times, see who they were, and decide whether to block them or not. I ran the following command: "cat /var/log/exim_mainlog | grabips | egrep -v "no host name" | sort | uniq -c | sort -rn > /tmp/eximips", which yielded the following counts and IPs (just the top of the list):
134876 210.16.100.79
81096 193.56.29.28
25386 38.70.203.82
21563 212.192.219.135
15217 185.239.242.52
12297 2.56.56.191
9698 185.147.34.118
9105 23.97.12.108
8605 182.106.186.189
8448 2.58.149.77
7264 103.153.77.86
6775 212.192.219.148
I then ran: "while read COUNT IP ; do echo "*** $IP ***"; nslookup -timeout=2 $IP | grep "name ="; done < /tmp/eximips"
*** 210.16.100.79 ***
79.100.16.210.in-addr.arpa name = tecmar.biz.100.16.210.in-addr.arpa.
*** 193.56.29.28 ***
*** 38.70.203.82 ***
*** 212.192.219.135 ***
*** 185.239.242.52 ***
52.242.239.185.in-addr.arpa name = scl-0053.mails--servers.org.
*** 2.56.56.191 ***
*** 185.147.34.118 ***
*** 23.97.12.108 ***
*** 182.106.186.189 ***
*** 2.58.149.77 ***
*** 103.153.77.86 ***
*** 212.192.219.148 ***
I checked these in the barracuda RBL lookup and several (in bold) have poor reputations, and with that information, I added them (one at a time) to the blacklist in cpHulkd, expecting connections from those IPs to stop immediately. They didn't. For one ip address, I had to stop/restart cpHulkd AND restart exim and then connections stopped. For another, I restarted both services but the connections continue. I'm not sure what's going on and what I should expect. Shouldn't these changes take place immediately? Do I need to restart a different service? Or restart them in a particular order?
134876 210.16.100.79
81096 193.56.29.28
25386 38.70.203.82
21563 212.192.219.135
15217 185.239.242.52
12297 2.56.56.191
9698 185.147.34.118
9105 23.97.12.108
8605 182.106.186.189
8448 2.58.149.77
7264 103.153.77.86
6775 212.192.219.148
I then ran: "while read COUNT IP ; do echo "*** $IP ***"; nslookup -timeout=2 $IP | grep "name ="; done < /tmp/eximips"
*** 210.16.100.79 ***
79.100.16.210.in-addr.arpa name = tecmar.biz.100.16.210.in-addr.arpa.
*** 193.56.29.28 ***
*** 38.70.203.82 ***
*** 212.192.219.135 ***
*** 185.239.242.52 ***
52.242.239.185.in-addr.arpa name = scl-0053.mails--servers.org.
*** 2.56.56.191 ***
*** 185.147.34.118 ***
*** 23.97.12.108 ***
*** 182.106.186.189 ***
*** 2.58.149.77 ***
*** 103.153.77.86 ***
*** 212.192.219.148 ***
I checked these in the barracuda RBL lookup and several (in bold) have poor reputations, and with that information, I added them (one at a time) to the blacklist in cpHulkd, expecting connections from those IPs to stop immediately. They didn't. For one ip address, I had to stop/restart cpHulkd AND restart exim and then connections stopped. For another, I restarted both services but the connections continue. I'm not sure what's going on and what I should expect. Shouldn't these changes take place immediately? Do I need to restart a different service? Or restart them in a particular order?
