LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

And, I should have read the whole thread so I could see that Andrew already suggested this. Mea culpa. Silly Outlook and it's threading...

So, ultimately, +1 for faill2ban.

On 2/24/20, 11:11 AM, "[log in to unmask] on behalf of Kraus, Dave (GE Healthcare)" <[log in to unmask] on behalf of [log in to unmask]> wrote:

    Offhand, have you looked at the "fail2ban" package to do this instead?
    
    I see that 7.7 has a fail2ban-mail package that might help on your front, at least with a casual search.
    
    Just a thought.
    
     -Dave
    
    On 2/24/20, 6:06 AM, "[log in to unmask] on behalf of tech" <[log in to unmask] on behalf of [log in to unmask]> wrote:
    
        As this is a "system component" feature,  I hope this is the right list
        
        Scientific Linux 7.7, with latest update.
        
        If there are more than 255 IP addresses associated with a service in 
        /etc/hosts.deny,  then when any service which calls tcp_wrappers is 
        invoked,  the process hangs, eventually taking 100%CPU.
        Any new request to tcp wrappers invokes another process which likewise 
        eventually reaches 100% CPU.   Effectively initiating an unintended  DoS
        
        I run exim as my MTA
        
        I run a script which looks for certain messages
        
        > 	"no host name found for IP address"
        > 	"rejected after DATA"
        > 	"refused: too many connections"
        
        in the /var/log/exim/   mainlog, rejectlog and paniclogs
        which indicate invalid connections to the server, and then places the 
        Class C  IP address of these in hosts.deny, against exim
        
        extract below from hosts.deny
        
        > exim: 1.215.,103.141.,103.16.,103.20.,103.230.,103.233.\
        > ,103.69.,103.74.,103.76.,109.100.,109.224.\
        > ,109.61.,109.72.,112.78.,114.199.,115.75.\
        > ,117.103.,121.65.,122.228.,123.143.,125.138.\
        
        In the past two weeks, the number of "exim reject messages" has 
        increased such that the number of IP addresses  associated with exim in 
        hosts.deny reached  256, with the result,  as explained above,  that 
        each connection to the email server started a new instance of exim, 
        which never completed,  and eventually grabbed 100% CPU.
        
        The logs are rotated every week and the list of IPs is refreshed.
        
        The prevalence of hacking is on the increase, so to get greater than 255 
        instances in a week is not becoming uncommon.
        
        Could the code be updated to allow more than 255/256 instances.
        (255/256 are common computing numbers!!)
        
        Thank you
        
        Me