[plug] 21nails and exim4

Brad Campbell brad at fnarfbargle.com
Sun May 9 02:10:13 AWST 2021

G'day all,

The release of the 21nails vulnerability list got me to get off my backside and upgrade a few servers. A job I've been putting off for "a while" (read as nearly a year past "end of support"). The additional default logging identified a swathe of attacks against the SMTP servers that, while I was aware of I never really paid attention to the magnitude.

As a result I finally installed fail2ban. Within half an hour of installing fail2ban I observed the attacks had changed in nature explicitly to evade the default fail2ban behaviour (on debian/devuan, 5 hits in 10 minutes gives a 10 minute ban). I altered the default jail time from 10 minutes to 60 minutes, and the bloody attacks adapted again. I know it's not just them hammering the port until fail2ban removes the iptabes rule as I've watched it happen with tcpdump.

These bots are getting clever!


More information about the plug mailing list