I am getting hit with a distributed dictionay email attack
I am getting hit with a distributed dictionay email attack
I installed the anti-dictionary attack software but it just keeps coming from new IPs
# cat /etc/exim_deny | uniq | wc -l
1058
Its been running about an hour now and is still increasing.
What should I do?
Is it good to block that many ips? Will that slow down delivery of regular mail?
Meaning the one that Chirpy provides?Originally Posted by EdRooney
That number should be fine. So long as you have installed the recommended hourly cron job it will rotate the IP addresses. You're likely to have a far greater load on your server if you didn't have the ACL in place.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Is that a lot? Have you seen more than 1000 ips blocked per hour before?
Yes. I have a server that at one time was getting around 3000 attacks an hour. It was the reason I wrote the ACL in the first place.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Cool, how many does that server get now?
1. How did you know you was under this type of attack?
2. Considering so many IP's are being blocked, would it be a good idea to unblock the ips in a few months or so considering some of those ip's may have been dynamic or spoofed?
Thank you in advance for your replies.
1. How did you know you was under this type of attack?
>>I watched the exim main log
2. Considering so many IP's are being blocked, would it be a good idea to unblock the ips in a few months or so considering some of those ip's may have been dynamic or spoofed?
>>It depends, if they are dynamically generated, in a few months it is quite possible to have legimate people or quite possiably the entire internet blocked.
I am thinking of keeping them blocked for few days.
My dictionary attack ACL unblocks the IP's within an hour (depending on how often you have thge file rotated via the cron job) since, as you say, they're mostly dynamic. It's highly unlikely that the IP addresses were spoofed, but that's neither here nor there.
I just checked and that server only gets the normal number now (10-20 an hour) so they've been seen off for now
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
You rule!!! Chirpy for president!I just checked and that server only gets the normal number now (10-20 an hour) so they've been seen off for now
Better nominate him for Prime Minister instead.
You really shouldn't be accepting mail from dynamic ips anyways... so I don't see that as a concern? Spoofed ips could be a problem though.
Or is the block rule added to iptables without specifiying a port (ie 25) so it would then block http as well?
How do I block spoofed IPs? I'm at over 15,000 and rapidly increasing
# cat exim_deny | wc -l
15437
How long does it take beofre the dictionary attackers realize they are blocked and move on to someone elses domain?
Sometimes.. weeks.
The point of the dictionary attack is to limit the number of useless messages flowing to the inbox.. its up you you as an admin to deal with it as you see fit. They'll still hammer the server ( thats what they're trying to do ).
Beau Henderson
LinkBack URL
About LinkBacks