[Pkg-exim4-users] Probe, every 27 mins, from one IP addr - how to block?
J G Miller
miller at yoyo.ORG
Wed Mar 2 16:19:56 UTC 2016
At 15:55h, on Wednesday, March 02, 2016,
in message <20160302155545.112d0923 at flora.coachhouse>,
on the subject of "Re: [Pkg-exim4-users] Probe, every 27 mins, from one IP addr - how to block?", you wrote -
> IPTables?
> Something like this:
> https://www.rosehosting.com/blog/blocking-abusive-ip-addresses-using-iptables-firewall-in-debianubuntu/
Yes that would help prevent connections and onc could also consider using fail2ban with a hand
crafted regexp.
> You could also use /etc/hosts.deny but it is a little less flexible:
> https://jamalahmed.wordpress.com/2010/03/19/using-etchosts-allow-and-etchosts-deny-to-secure-unix/
Which assumes that exim is built with tcpwrappers support, which *is* the case
on Debian, but possibly not on other distributions, eg Arch Linux
"Jul 16, 2011 - tcp_wrappers support is being dropped from all package".)
See Q0705 at <http://doc.dvgu.ru/admin/exim/FAQ_7.html> for an example
of tcpwrapper contol configuration.
Incidentally in view of the "just a probe" nature of this intrusion, has Ron Leach
checked his logs to see if this remote host is in fact doing a port scan to get
information on all ports which are open on his machine for a potential attack?
More information about the Pkg-exim4-users
mailing list