Exim attacks
Posted: 14 Feb 2019, 15:38
Suggestion - block Exim attacks that are designed to degrade server performance:
Log files below of the issue (IP used is arbitrary). CENTOS 7 server.
Log directory:
/var/log/exim_mainlog
2019-02-13 18:51:46.727 [32754] no MAIL in SMTP connection from [180.119.68.17]:53797 I=[xx.xx.xx.xx]:25 D=10s
2019-02-13 18:51:57.453 [32756] no MAIL in SMTP connection from [180.119.68.17]:57662 I=[xx.xx.xx.xx]:25 D=10s
2019-02-13 18:52:08.176 [307] no MAIL in SMTP connection from [180.119.68.17]:62178 I=[xx.xx.xx.xx]:25 D=10s
2019-02-13 18:52:18.922 [315] no MAIL in SMTP connection from [180.119.68.17]:51659 I=[xx.xx.xx.xx]:25 D=10s
Hundreds or thousands of these within seconds, many times from numerous IP's. Limit connections doesn't catch them.
I would like to see a perm block triggered after 5 such fails in any 1 second period.
Thanks for the consideration
Log files below of the issue (IP used is arbitrary). CENTOS 7 server.
Log directory:
/var/log/exim_mainlog
2019-02-13 18:51:46.727 [32754] no MAIL in SMTP connection from [180.119.68.17]:53797 I=[xx.xx.xx.xx]:25 D=10s
2019-02-13 18:51:57.453 [32756] no MAIL in SMTP connection from [180.119.68.17]:57662 I=[xx.xx.xx.xx]:25 D=10s
2019-02-13 18:52:08.176 [307] no MAIL in SMTP connection from [180.119.68.17]:62178 I=[xx.xx.xx.xx]:25 D=10s
2019-02-13 18:52:18.922 [315] no MAIL in SMTP connection from [180.119.68.17]:51659 I=[xx.xx.xx.xx]:25 D=10s
Hundreds or thousands of these within seconds, many times from numerous IP's. Limit connections doesn't catch them.
I would like to see a perm block triggered after 5 such fails in any 1 second period.
Thanks for the consideration