CSF block force attacks on Exim
CSF / LFD block force attacks on Exim Centos
1. Backup /etc/csf/csf.conf
2. Make sure this exist in /etc/csf/csf.conf
LF_DAEMON = "1"
LF_CSF = "1"
SMTP_BLOCK = "1"
SMTPAUTH_LOG = "/var/log/exim/reject.log" SMTPRELAY_LOG = "/var/log/exim_mainlog" POP3D_LOG = "/var/log/maillog" IMAPD_LOG = "/var/log/maillog" SCRIPT_LOG = "/var/log/exim_mainlog"If reject.log not exist replace with log file with "Incorrect authentication data" messages 3. Restart LFD
csf --lfd restart4. Restart csf
csf -rOutput in /etc/csf/csf.deny
212.129.11.11 # lfd: (smtpauth) Failed SMTP AUTH login from 212.129.11.11<br />(FR/France/212-129-63-54.example.com): 5 in the last 3600 secs - Mon Jun 26 08:10:47 2017
rated 7 times
(7)
(0)
comments: 0 / hits: 3712
/ 5 years ago, mon, jun 26, 17, 09:21:15
More From
» Plain Text
Comments
There are no comments for this Snippet yet
Posted
paki
Member since Sep 7, 2016
Total Code Snippets: 12
Total Comments: 0
Location: n/a
paki snippets
6 years ago, thu, sep 8, 16, 3:04:22
<h3>1. Install Spamassassin [SSH]:</h3>
<blockquote>sudo yum install spamassassin</blockquote>
<h3>2. Create file filters in /etc/exim/ folder with code:</h3>
<blockquote>if $h_X-Spam-Flag: contains "YES"
then
headers add "Old-Subject: $h_subject"
headers remove "Subject"
headers add "Subject: ***[SPAM]*** $h_old-subject"
headers remove "Old-Subject"
endif</blockquote>
<h3>3. In etc/exim/exim.conf after this line:</h3>
<blockquote># $Cambridge: exim/exim-src/src/configure.default,v 1.14 2009/10/16 07:46:13 tom Exp $</blockquote>
put this line:
<blockquote>system_filter = /etc/exim/filters</blockquote>
<h3>4. In etc/exim/exim.conf replace:</h3>
<blockquote>#spamd_address = 127.0.0.1 783</blockquote>
with:
<blockquote>spamd_address = 127.0.0.1 783</blockquote>
<h3>5. In etc/exim/exim.conf replace:</h3>
<blockquote># Bypass SpamAssassin checks if the message is too large.
#
#accept condition = ${if >={$message_size}{100000} {1}}
#add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
# Run SpamAssassin, but allow for it to fail or time out. Add a warning message
# and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
# score exceeds the SA system threshold.
#
#warn spam = nobody/defer_ok
#add_header = X-Spam-Flag: YES
#add_header = X-Spam-Subject: [SPAM] $h_Subject
#accept condition = ${if !def:spam_score_int {1}}
#add_header = X-Spam-Note: SpamAssassin invocation failed
# Unconditionally add score and report headers
#
#warn add_header = X-Spam-Score: $spam_score ($spam_bar)n
#X-Spam-Report: $spam_report</blockquote>
with:
<blockquote># Bypass SpamAssassin checks if the message is too large.
#
# accept condition = ${if >={$message_size}{100000} {1}}
# add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
# Run SpamAssassin, but allow for it to fail or time out. Add a warning message
# and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
# score exceeds the SA system threshold.
#
warn spam = nobody/defer_ok
add_header = X-Spam-Flag: YES
#
accept condition = ${if !def:spam_score_int {1}}
add_header = X-Spam-Note: SpamAssassin invocation failed
#
# Unconditionally add score and report headers
#
warn add_header = X-Spam-Report: $spam_report</blockquote>
<h3>6. Check this code exist in /etc/mail/spamassassin/local.cf</h3>
<blockquote># These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)
# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
required_score 1.3</blockquote>
<h3>7. Restart Spamassassin [SSH]:</h3>
<blockquote>/etc/init.d/spamassassin restart</blockquote>
<h3>8. Restart Exim [SSH]:</h3>
<blockquote>service exim restart</blockquote>
comments: 0 / hits: 5800
6 years ago, wed, dec 28, 16, 4:11:52
<table>
<tr>
<td>csf -v</td><td>Show csf version</td>
</tr>
<tr>
<td>csf -l</td><td>Status</td>
</tr>
<tr>
<td>csf -l6</td><td>List/Show the IPv6 ip6tables configuration</td>
</tr>
<tr>
<td>csf -f</td><td>Flush/Stop firewall rules (Note: lfd may restart csf)</td>
</tr>
<tr>
<td>csf -s</td><td>Start the firewall rules</td>
</tr>
<tr>
<td>csf -r</td><td>Restart firewall rules (csf)</td>
</tr>
<tr>
<td>csf -sf</td><td>Force CLI restart regardless of LFDSTART setting</td>
</tr>
<tr>
<td>csf -ra</td><td>Quick restart (csf restarted by lfd)</td>
</tr>
<tr>
<td>csf -q</td><td>Restart firewall rules (csf) and then restart lfd daemon.</td>
</tr>
<tr>
<td>csf --lfd</td><td>[stop|start|restart|status] Actions to take with the lfd daemon</td>
</tr>
<tr>
<td>csf -a</td><td>Allow an IP and add to /etc/csf/csf.allow Example: <span class="justColor">csf -a 255.255.255.0</span></td>
</tr>
<tr>
<td>csf -ar</td><td>Remove an IP from /etc/csf/csf.allow Example: <span class="justColor">csf -ar 255.255.255.0</span></td>
</tr>
<tr>
<td>csf -d</td><td>Deny an IP and add to /etc/csf/csf.deny Example: <span class="justColor">csf -d 255.255.255.0</span></td>
</tr>
<tr>
<td>csf -dr</td><td>
Unblock an IP and remove from /etc/csf/csf.deny Example: <span class="justColor">csf -dr 255.255.255.0</span></td>
</tr>
<tr>
<td>csf -df</td><td>Remove and unblock all entries in /etc/csf/csf.deny</td>
</tr>
<tr>
<td>csf -g</td><td>Search the iptables and ip6tables rules for a match (Port Number or IP)</td>
</tr>
<tr>
<td>csf -t</td><td>Displays the current list of temporary allow and deny IP entries</td>
</tr>
<tr>
<td>csf -tf</td><td>Flush all IPs from the temporary IP entries</td>
</tr>
<tr>
<td>csf -cp</td><td>PING all members in an lfd Cluster</td>
</tr>
<tr>
<td>csf -m</td><td>Display Server Check in HTML or email to [email] if present. Example: <span class="justColor">csf -m [email protected]</span></td>
</tr>
<tr>
<td>csf --rbl</td><td>Process and display RBL Check in HTML or email to [email] if present</td>
</tr>
<tr>
<td>csf -lr</td><td>Initiate Log Scanner report via lfd</td>
</tr>
<tr>
<td>csf -p</td><td>View ports on the server that have a running process behind them listening for external connections</td>
</tr>
<tr>
<td>csf -x</td><td>Disable csf and lfd completely</td>
</tr>
<tr>
<td>csf -e</td><td>Enable csf and lfd if previously disabled</td>
</tr>
<tr>
<td>csf -c</td><td>Check for updates to csf but do not upgrade</td>
</tr>
<tr>
<td>csf -u</td><td>Check for updates to csf and upgrade if available</td>
</tr>
<tr>
<td>csf -uf</td><td>Force an update of csf whether and upgrade is required or not</td>
</tr>
</table>
comments: 2 / hits: 4252
6 years ago, tue, jan 3, 17, 3:37:12
<!DOCTYPE html>
<html lang="en">
<head>
<title>Share Buttons</title>
<meta name="description" content="Simple CSS javascript social share buttons" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1" />
<style>
.buttons a{display:inline-table;margin-right:20px;font-family:'Trebuchet MS',tahoma,verdana;font-weight:800;font-size:15px;text-decoration:none;}
.buttons a:hover{opacity:0.8;}
.twitterLink{background: #2EACDC;padding:5px 38px;color:#fff;}
.googleLink{background: #C3392C;padding:5px 38px;color:#fff;}
.facebookLink{background: #46649E;padding:5px 38px;color:#fff;}
</style>
</head>
<body>
<div class="buttons">
<a class="twitterLink" href="#" onclick="(function() {if (!window.open('https://twitter.com/intent/tweet?url=' + encodeURIComponent(window.location) + '&text=' + encodeURIComponent(document.title) + '', 'enter', 'left=100,top=120;location=yes,links=no,scrollbars=no,toolbar=no,width=690,height=360')) location.href = 'jump=yes'})();return false;">Twitter</a>
<a class="googleLink" href="#" onclick="(function() {if (!window.open('https://plus.google.com/share?url=' + encodeURIComponent(window.location) + '', 'enter', 'left=100,top=120;location=yes,links=no,scrollbars=no,toolbar=no,width=690,height=360')) location.href = 'jump=yes'})();return false;">Google Plus</a>
<a class="facebookLink" href="#" onclick="(function() {if (!window.open('https://www.facebook.com/sharer/sharer.php?u=' + encodeURIComponent(window.location) + '', 'enter', 'left=100,top=120;location=yes,links=no,scrollbars=no,toolbar=no,width=690,height=360')) location.href = 'jump=yes'})();return false;">FaceBook</a>
</div>
</body>
</html>
comments: 0 / hits: 2472
5 years ago, thu, jan 19, 17, 5:40:32
<table>
<tr>
<td>service clamd status</td><td>Check status</td>
</tr>
<tr>
<td>service clamd start</td><td>Start service</td>
</tr>
<tr>
<td>service clamd stop</td><td>Stop service</td>
</tr>
<tr>
<td>service clamd restart</td><td>Restart service</td>
</tr>
<tr>
<td>service clamd reload</td><td>Reload service</td>
</tr>
<tr>
<td>freshclam -V</td><td>Version info</td>
</tr>
<tr>
<td>clamscan -V</td><td>Version info 2</td>
</tr>
<tr>
<td>clamscan -h</td><td>Print help screen</td>
</tr>
<tr>
<td>clamscan -r -i</td><td>Scan all files</td>
</tr>
<tr>
<td>clamscan -r -i /home</td><td>Scan all files in home directory</td>
</tr>
<tr>
<td>clamscan -l scanlog.log</td><td>Save scan report to file</td>
</tr>
<tr>
<td>clamscan -r -i /home -l scanlog.log</td><td>Scan all files in home directory and save scan report to file</td>
</tr>
<tr>
<td>yum upgrade clamav</td><td>Upgrade Clamav</td>
</tr>
<tr>
<td>yum update clamav</td><td>Update Clamav</td>
</tr>
</table>
comments: 0 / hits: 7091
5 years ago, sat, jun 10, 17, 3:16:28
###You will need to make sure the following modules are enabled in httpd.conf
###LoadModule filter_module modules/mod_filter.so
###LoadModule deflate_module modules/mod_deflate.so
###LoadModule deflate_module modules/mod_deflate.so
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css "access 1 year"
ExpiresByType text/html "access 1 year"
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType application/pdf "access 1 year"
ExpiresByType font/truetype "access plus 1 year"
ExpiresByType font/opentype "access plus 1 year"
ExpiresByType application/x-font-woff "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
ExpiresByType application/vnd.ms-fontobject "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
ExpiresByType text/x-javascript "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType application/x-shockwave-flash "access 1 year"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 year"
</IfModule>
##########################################
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>
comments: 0 / hits: 2582
5 years ago, sat, sep 2, 17, 4:26:09
<table>
<tr>
<td>exim -bpc</td><td>number of emails in queue</td>
</tr>
<tr>
<td>exim -bp</td><td>print a list of messages in queue</td>
</tr>
<tr>
<td>exim -qf</td><td>force deliver all messages in queue</td>
</tr>
<tr>
<td>exim -Mrm <font color="red">mesageid</font></td><td>remove message from the queue</td>
</tr>
<tr>
<td>exim -Mvh <font color="red">mesageid</font></td><td>view message headers</td>
</tr>
<tr>
<td>exim -Mvb <font color="red">mesageid</td><td>view message body</td>
</tr>
<tr>
<td>exim -bp | exiqgrep -i | xargs exim -Mrm</td><td>remove the entire queue</td>
</tr>
</table>
comments: 1 / hits: 2866
4 years ago, tue, feb 27, 18, 9:25:15
<table>
<tr><td>1. Open etc/exim/exim.conf</td></tr>
<tr><td>2. Directly after this code line:
<blockquote># $Cambridge: exim/exim-src/src/configure.default,v 1.14 2009/10/16 07:46:13 tom Exp $</blockquote>
add:
<blockquote>keep_environment = X-SOURCE : X-SOURCE-ARGS : X-SOURCE-DIR
add_environment = PATH=/usr/local/sbin::/usr/local/bin::/sbin::/bin::/usr/sbin::/usr/bin::/sbin::/bin</blockquote></td></tr>
<tr><td>3. Restart Exim:
<blockquote>service exim restart</blockquote></td></tr>
</table>
comments: 0 / hits: 2066
4 years ago, tue, feb 27, 18, 9:41:12
[[email protected] ~]# iptables -A INPUT -s x.xx.xx.xx -p tcp --dport 25 -j REJECT
[[email protected] ~]# service iptables save
[[email protected] ~]# service iptables restart
comments: 0 / hits: 2057
4 years ago, wed, feb 28, 18, 11:02:34
1. In etc/exim/exim.conf after this line:
<blockquote># $Cambridge: exim/exim-src/src/configure.default,v 1.14 2009/10/16 07:46:13 tom Exp $</blockquote>
put this line:
<blockquote>system_filter = /etc/exim/filters</blockquote>
2. Create file filters in /etc/exim/ folder with code:
<blockquote>if
$header_from: contains "example.com"
or $header_from: contains "example2.com"
then fail
endif</blockquote>
3. Restart Exim:
<blockquote>service exim restart</blockquote>
4. Log:
<blockquote>2018-02-28 10:48:37 1gr3f4-0081uq-O7 <= [email protected] H=g.example.com [xxx.xxx.xx.xx]
2018-02-28 10:48:37 1gr3f4-0081uq-O7 cancelled by system filter</blockquote>
comments: 0 / hits: 1986