I love what CSF does for blocking most attacks, SSH and SMTPAuth being noteable. But I'm looking for a solution to block spammers after a certain number of attempts, either at the exim or firewall level. I was hoping CSF had something like it built in, but it doesn't look that way, so I was examining alternatives like fail2ban specificly for that purpose. what I'm wondering is if the two will conflict. if CSF and/or fail2ban will step on toes if installed at the same time. If yes, what would be a recommended solution for someone who's already running CSF?
Take a look at the following url.
http://forums.cpanel.net/f185/csf-fail2ban-331351.html
Check the reply by "serversphere".
Cheers!!!
http://forums.cpanel.net/f185/csf-fail2ban-331351.html
Check the reply by "serversphere".
Cheers!!!
Last edited:
I've been experimenting with this exact thing - letting fail2ban+csf help block spam. Adding all those IPs to the csf.deny file started impacting system performance. I ended up having fail2ban simply add the IP to the /etc/spammeripblock file. I have fail2ban look for things like repeatedly trying to deliver to nonexistent mailbox, or using malformed commands, or hammering a domain by delivering multiple times messages that SpamAssassin deems "high scoring spam".
I started a mid level VPS server using this technique two days ago, and it's up to 1200+ IPs right now. Exim has blocked 2076 connections from listed IPs in that time. Ultimately, I fear this will overwhelm the system. CPDavid, in another thread, suggested Exim could possibly handle upwards of 10K IPs in the spammer file, depending on system specs. So, I'm not sure where to go from here. Possibly create a Realtime Black List that I can funnel IPs to as I rotate them out of the spammer file? Choose a number like 2500 IPs and start rotating there? Time will tell.
I started a mid level VPS server using this technique two days ago, and it's up to 1200+ IPs right now. Exim has blocked 2076 connections from listed IPs in that time. Ultimately, I fear this will overwhelm the system. CPDavid, in another thread, suggested Exim could possibly handle upwards of 10K IPs in the spammer file, depending on system specs. So, I'm not sure where to go from here. Possibly create a Realtime Black List that I can funnel IPs to as I rotate them out of the spammer file? Choose a number like 2500 IPs and start rotating there? Time will tell.
I don't know what you're using as far as RBLs, but my recommendation is to use Spamhaus Zen and Barracuda RBL (if you're in the US). If you're outside of the US, I don't know what RBLs are best. At any rate, my recommendation is to make sure that you only ban IP addresses that aren't already on blacklists, and that you consider somehow expiring the entries after a period of time. Rejecting during SMTP using RBLs is very efficient and is a minimal [if that] burden to the system. If you let RBLs do the heavy lifting and then use fail2ban/csf for anything else, you'll likely have a much smaller list.
M
M
I've been experimenting with this exact thing - letting fail2ban+csf help block spam. Adding all those IPs to the csf.deny file started impacting system performance. I ended up having fail2ban simply add the IP to the /etc/spammeripblock file. I have fail2ban look for things like repeatedly trying to deliver to nonexistent mailbox, or using malformed commands, or hammering a domain by delivering multiple times messages that SpamAssassin deems "high scoring spam".
I started a mid level VPS server using this technique two days ago, and it's up to 1200+ IPs right now. Exim has blocked 2076 connections from listed IPs in that time. Ultimately, I fear this will overwhelm the system. CPDavid, in another thread, suggested Exim could possibly handle upwards of 10K IPs in the spammer file, depending on system specs. So, I'm not sure where to go from here. Possibly create a Realtime Black List that I can funnel IPs to as I rotate them out of the spammer file? Choose a number like 2500 IPs and start rotating there? Time will tell.
I am using exactly those two RBLs. I agree with you. Letting the RBLs do the heavy work is definitely the way to go. I'm using this to block only those annoying hammering IPs, by which I mean servers that connect more than 5 times every few minutes and are listed, or that try to deliver to nonexistent recipients in that same time frame. Only the heavier abusers are listed, yet there seems to be a plethora of IPs available to them since the list is steadily growing.
I agree with you. Letting the RBLs do the heavy work is definitely the way to go. I'm using this to block only those annoying hammering IPs, by which I mean servers that connect more than 5 times every few minutes and are listed, or that try to deliver to nonexistent recipients in that same time frame. Only the heavier abusers are listed, yet there seems to be a plethora of IPs available to them since the list is steadily growing.My server's in the US, but how would I go about using the Barracuda RBL?
Additionally, I saw mention in here that CSF itself could be used to potentially block exim trafick? How would that be accomplished with a minimal amount of issue, or is fail2ban still the better way? If the latter, does fail2ban support that by default or will I need to build it?
Additionally, I saw mention in here that CSF itself could be used to potentially block exim trafick? How would that be accomplished with a minimal amount of issue, or is fail2ban still the better way? If the latter, does fail2ban support that by default or will I need to build it?
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
|
Does anyone have any experience with CSF mailscanner | 2 | ||
| C | How to set "From" email for the server for CSF/LFD alerts? | 2 | ||
| H | csf firewall blocking countries - How can I allow outbound connections to email providers | 6 | ||
| T | SMTP_BLOCK option with CSF | 4 | ||
| S | Email Alerts from CSF | 5 |