Following on from last week’s w00tw00t block, here’s another quick fail2ban rule, this time to handle some Exim DOS/mail bombing problems.
I already use Fail2Ban to block unauthorised users who attempt to use my mail server as a relay to send spam, and this works very well. Recently, I’ve started seeing messages like this one start to appear in my exim logs:
2013-05-21 01:01:52 Connection from [2.38.90.63] refused: too many connections: 1 Time(s)
2013-05-21 01:01:53 Connection from [2.38.90.63] refused: too many connections: 1 Time(s)
2013-05-21 01:01:58 Connection from [2.38.90.63] refused: too many connections: 2 Time(s)
2013-05-21 01:01:59 Connection from [2.38.90.63] refused: too many connections: 1 Time(s)
2013-05-21 01:02:00 Connection from [2.38.90.63] refused: too many connections: 1 Time(s)
2013-05-21 01:02:11 Connection from [2.38.90.63] refused: too many connections: 1 Time(s)
In each case, the IP address originates from somewhere I’d not expect to receive email from, so it looks like some spammers are trying to mail bomb/DOS me.
In jail.local
[exim-dos]
enabled = true
filter = exim-dos
port = all
logpath = /var/log/exim*/mainlog
maxretry = 1
bantime = 3600
In filter.d/exim-dos.conf
# Fail2Ban Exim DOS configuration file.
# Checks for DOS/Flooding attempts.
#
# Author: Marcus Povey
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = \[\] .*refused: too many connections
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Some potential gotchas
You may notice that I’ve set the bantime
to quite a low value, this is because this rule has the potential of some false positives or collateral damage in certain situations.
Most likely you’ll get the too many connections error when some naughty fellow starts mailbombing you, but sometimes connections will be refused for legitimate users while an attack is in progress, which would result in the good guys being banned as well as the bad.
Setting bantime
to something relatively short (one hour in my example) should limit fallout, since legitimate email servers will retry later, while most script kiddies will have moved on.
I use your exim-dos receipt and I get an error in fail2ban log: ERROR NOK: (“No failure-id group in ‘\\[\\] .*refused: too many connections'”,)
What’s wrong?
Thank you in advance,
Mauricio
It looks like you are using the exim-dos jail in Fail2ban and it is unable to parse the log messages correctly. The error message “ERROR NOK: (“No failure-id group in ‘\[\] .*refused: too many connections’”,)” means that Fail2ban is unable to extract the IP address of the client that is making too many connections from the log message.
There are a few potential causes for this issue:
1. The log message format has changed and the regular expression used by Fail2ban is no longer able to parse it correctly.
2. There is a typo in the regular expression used by Fail2ban.
3. The log messages are being modified by some other process before Fail2ban reads them, causing the regular expression to fail.
To troubleshoot this issue, you can try the following steps:
1. Check the exim log file to see if the log message format has changed.
2. Check the regular expression used by Fail2ban to see if there are any typos or other issues.
3. Check if any other processes are modifying the log messages before Fail2ban reads them.