The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

fail2ban and CSF conflicting, for exim purposes?

Discussion in 'E-mail Discussions' started by quanin, Mar 24, 2013.

  1. quanin

    quanin Well-Known Member

    Joined:
    Aug 18, 2011
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I love what CSF does for blocking most attacks, SSH and SMTPAuth being noteable. But I'm looking for a solution to block spammers after a certain number of attempts, either at the exim or firewall level. I was hoping CSF had something like it built in, but it doesn't look that way, so I was examining alternatives like fail2ban specificly for that purpose. what I'm wondering is if the two will conflict. if CSF and/or fail2ban will step on toes if installed at the same time. If yes, what would be a recommended solution for someone who's already running CSF?
     
  2. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    #2 arunsv84, Mar 25, 2013
    Last edited: Mar 25, 2013
  3. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    I've been experimenting with this exact thing - letting fail2ban+csf help block spam. Adding all those IPs to the csf.deny file started impacting system performance. I ended up having fail2ban simply add the IP to the /etc/spammeripblock file. I have fail2ban look for things like repeatedly trying to deliver to nonexistent mailbox, or using malformed commands, or hammering a domain by delivering multiple times messages that SpamAssassin deems "high scoring spam".

    I started a mid level VPS server using this technique two days ago, and it's up to 1200+ IPs right now. Exim has blocked 2076 connections from listed IPs in that time. Ultimately, I fear this will overwhelm the system. CPDavid, in another thread, suggested Exim could possibly handle upwards of 10K IPs in the spammer file, depending on system specs. So, I'm not sure where to go from here. Possibly create a Realtime Black List that I can funnel IPs to as I rotate them out of the spammer file? Choose a number like 2500 IPs and start rotating there? Time will tell. :)
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I don't know what you're using as far as RBLs, but my recommendation is to use Spamhaus Zen and Barracuda RBL (if you're in the US). If you're outside of the US, I don't know what RBLs are best. At any rate, my recommendation is to make sure that you only ban IP addresses that aren't already on blacklists, and that you consider somehow expiring the entries after a period of time. Rejecting during SMTP using RBLs is very efficient and is a minimal [if that] burden to the system. If you let RBLs do the heavy lifting and then use fail2ban/csf for anything else, you'll likely have a much smaller list.

    M


     
  5. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    I am using exactly those two RBLs. :) I agree with you. Letting the RBLs do the heavy work is definitely the way to go. I'm using this to block only those annoying hammering IPs, by which I mean servers that connect more than 5 times every few minutes and are listed, or that try to deliver to nonexistent recipients in that same time frame. Only the heavier abusers are listed, yet there seems to be a plethora of IPs available to them since the list is steadily growing.
     
  6. quanin

    quanin Well-Known Member

    Joined:
    Aug 18, 2011
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    My server's in the US, but how would I go about using the Barracuda RBL?

    Additionally, I saw mention in here that CSF itself could be used to potentially block exim trafick? How would that be accomplished with a minimal amount of issue, or is fail2ban still the better way? If the latter, does fail2ban support that by default or will I need to build it?
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I'll PM you since this is off topic.

    M
     
    #7 mtindor, Mar 26, 2013
    Last edited: Mar 26, 2013
Loading...
Similar Threads - fail2ban CSF conflicting
  1. tecwithquestion
    Replies:
    3
    Views:
    1,299

Share This Page