And, I should have read the whole thread so I could see that Andrew already suggested this. Mea culpa. Silly Outlook and it's threading...
So, ultimately, +1 for faill2ban.
On 2/24/20, 11:11 AM, "[log in to unmask] on behalf of Kraus, Dave (GE Healthcare)" <[log in to unmask] on behalf of [log in to unmask]> wrote:
Offhand, have you looked at the "fail2ban" package to do this instead?
I see that 7.7 has a fail2ban-mail package that might help on your front, at least with a casual search.
Just a thought.
-Dave
On 2/24/20, 6:06 AM, "[log in to unmask] on behalf of tech" <[log in to unmask] on behalf of [log in to unmask]> wrote:
As this is a "system component" feature, I hope this is the right list
Scientific Linux 7.7, with latest update.
If there are more than 255 IP addresses associated with a service in
/etc/hosts.deny, then when any service which calls tcp_wrappers is
invoked, the process hangs, eventually taking 100%CPU.
Any new request to tcp wrappers invokes another process which likewise
eventually reaches 100% CPU. Effectively initiating an unintended DoS
I run exim as my MTA
I run a script which looks for certain messages
> "no host name found for IP address"
> "rejected after DATA"
> "refused: too many connections"
in the /var/log/exim/ mainlog, rejectlog and paniclogs
which indicate invalid connections to the server, and then places the
Class C IP address of these in hosts.deny, against exim
extract below from hosts.deny
> exim: 1.215.,103.141.,103.16.,103.20.,103.230.,103.233.\
> ,103.69.,103.74.,103.76.,109.100.,109.224.\
> ,109.61.,109.72.,112.78.,114.199.,115.75.\
> ,117.103.,121.65.,122.228.,123.143.,125.138.\
In the past two weeks, the number of "exim reject messages" has
increased such that the number of IP addresses associated with exim in
hosts.deny reached 256, with the result, as explained above, that
each connection to the email server started a new instance of exim,
which never completed, and eventually grabbed 100% CPU.
The logs are rotated every week and the list of IPs is refreshed.
The prevalence of hacking is on the increase, so to get greater than 255
instances in a week is not becoming uncommon.
Could the code be updated to allow more than 255/256 instances.
(255/256 are common computing numbers!!)
Thank you
Me
|