ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Can't block connections

https://mail.forum.configserver.com/viewtopic.php?t=10325

Page 1 of 1

Can't block connections

Posted: 22 Jun 2017, 18:52
by Linuc
Hi,

I am seeing an attack on exim port 25, as per:

Code: Select all

2017-06-22 19:43:43 SMTP connection from [201.197.40.70]:13855 (TCP/IP connection count = 84)
2017-06-22 19:43:43 SMTP connection from [197.253.12.194]:18356 (TCP/IP connection count = 85)
2017-06-22 19:43:44 SMTP connection from [89.211.189.109]:55947 (TCP/IP connection count = 86)
2017-06-22 19:43:45 SMTP connection from [111.93.238.10]:16467 (TCP/IP connection count = 85)
2017-06-22 19:43:49 SMTP connection from [77.28.104.247]:38681 (TCP/IP connection count = 81)
2017-06-22 19:43:49 SMTP connection from [113.172.100.255]:10962 (TCP/IP connection count = 82)
2017-06-22 19:43:51 SMTP connection from [39.52.80.9]:24419 (TCP/IP connection count = 81)
2017-06-22 19:43:51 SMTP connection from [190.117.221.9]:40620 (TCP/IP connection count = 82)
2017-06-22 19:43:51 SMTP connection from [46.217.156.204]:29151 (TCP/IP connection count = 82)
2017-06-22 19:43:52 SMTP connection from [123.28.223.203]:28010 (TCP/IP connection count = 82)
2017-06-22 19:43:52 SMTP connection from [181.67.41.247]:29605 (TCP/IP connection count = 82)
2017-06-22 19:43:54 SMTP connection from [186.9.239.50]:46029 (TCP/IP connection count = 79)
2017-06-22 19:43:54 SMTP connection from [187.5.229.94]:30754 (TCP/IP connection count = 79)
2017-06-22 19:43:54 SMTP connection from [213.149.62.10]:11094 (TCP/IP connection count = 80)
2017-06-22 19:43:54 SMTP connection from [113.182.14.2]:43072 (TCP/IP connection count = 81)
2017-06-22 19:43:54 SMTP connection from [179.99.203.101]:29536 (TCP/IP connection count = 82)
The above is flooding the exim mail server to the point where cPanel users have difficulty sending/receiving mail.

I've enabled "blocklists" and also:

PORTFLOOD = 25;tcp;5;43200

The above does not seem to limit connections on port 25 at all.

Also tried CONNLIMIT = 25 and CT_LIMIT = 25

None of the above seems to do anything to block these.

Anyone seen this before or know of a way to block OR at leat limit the connection?

Re: Can't block connections

Posted: 25 Jul 2017, 14:15
by ddd
Also having this exact same problem with no solution to block it.

Hundreds of these:

2017-07-25 15:10:35 SMTP connection from [37.72.189.70]:1228 lost
2017-07-25 15:10:35 SMTP connection from [94.177.248.136]:59075 lost
2017-07-25 15:10:35 SMTP connection from [37.72.189.70]:4934 (TCP/IP connection count = 6)
2017-07-25 15:10:35 SMTP connection from [94.177.248.136]:58786 (TCP/IP connection count = 7)
2017-07-25 15:10:35 no host name found for IP address 37.72.189.70
2017-07-25 15:10:37 SMTP connection from [37.49.224.149]:59133 lost
2017-07-25 15:10:37 SMTP connection from [37.49.224.149]:59156 (TCP/IP connection count = 7)
2017-07-25 15:10:37 no host name found for IP address 37.49.224.149
2017-07-25 15:10:37 SMTP connection from [37.72.189.70]:2024 lost
2017-07-25 15:10:37 SMTP connection from [37.72.189.70]:1798 (TCP/IP connection count = 7)
2017-07-25 15:10:37 no host name found for IP address 37.72.189.70
2017-07-25 15:10:39 SMTP connection from [94.177.248.136]:53184 lost
2017-07-25 15:10:40 SMTP connection from [94.177.248.136]:50417 (TCP/IP connection count = 7)
2017-07-25 15:10:45 SMTP connection from [37.72.189.70]:4934 lost
2017-07-25 15:10:46 SMTP connection from [94.177.248.136]:58786 lost
2017-07-25 15:10:46 SMTP connection from [94.177.248.136]:53776 (TCP/IP connection count = 6)
2017-07-25 15:10:48 SMTP connection from [37.49.224.149]:59156 lost
2017-07-25 15:10:48 SMTP connection from [37.49.224.149]:54243 (TCP/IP connection count = 6)
2017-07-25 15:10:48 no host name found for IP address 37.49.224.149
2017-07-25 15:10:48 SMTP connection from [37.72.189.70]:1798 lost
2017-07-25 15:10:48 SMTP connection from [37.72.189.70]:1333 (TCP/IP connection count = 6)
2017-07-25 15:10:48 no host name found for IP address 37.72.189.70

Re: Can't block connections

Posted: 28 Mar 2018, 15:54
by kdean
Getting thousands of these a day from hundreds of IPs mostly from China Telecom and a few other countries. I've just been manually denying IPs and various CiDRs.

Anyone ever come up with an automatic CSF solution to detect and block these.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited