The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim ACL to block buffer overflow attempts

Discussion in 'E-mail Discussions' started by lshaw, Jul 10, 2013.

  1. lshaw

    lshaw Member

    Joined:
    May 24, 2007
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    One of our cPanel servers has been getting bombarded by a (mostly) LACNIC botnet attempting an (presumed) antiquated buffer overflow exploit for versions of Exim < 4.7. Since our server is running 4.80.1 I believe the attempts have been successfully thwarted, however this has created another problem: exim log size.

    Understand that so far, since log rotation on Sunday, over 52000 unique IPs have made these buffer overflow attempts - some only 2 or 3 attempts, others thousands. Each time one does it creates log entries similar to this (this has been washed through 'strings' to make it more human friendly):

    Code:
    2013-07-10 19:39:58 [4927] SMTP syntax error in "\235\3112\225F\370|\226\322"   \0167J\001\230\270\214\340\227\274\307l\017\245k\302\020\225S\220\231\342\205\344\234\246\262\257\235*L\025\236(\257\243\234\247G    \235\007\023\305\237}F\315\236\271\017\303\240t\270\344\237  =\003\240#;\202\240\247\324\361\2427j\314\241.\325\241\242\371]\222\244\271f\312\242\3530|\243!\311\341\243\305\311&\245\240\303^\245\261d\004\035kns\036}\212\016\247\350\272\331\252\024\032\305\250;\354\244\226A\202\211\251fE<\252*\262T\252\005}\006\253\270~,\254\222k7\003Gmq\255\345?\264\255\272\333\300\256Vp\177\256\177\242\313\2563^k\257\201\302\003\260\226\2166\260]\317\224\260\316V\214\261y\224\376\f:\226D\262\244\306\017\263\022=\020'\256\205\207\266\274/\234,\277\313=\2703"#\2669]\257-\277'a.3Q\354\267s\351Q\270N\241p\271\232\005     \272    |\265\271Q\026\033\272dF\233-\255D\346\272f\023\337\273\301\335\220\274\343\017\335\274\021n\255\275IA\237\276\3564\321\277\034\003\220\300>\302     \302\033['\301a\277\206\303B\236=\035\004\034\236\304\300\216\357\302!\267\202\305+\277\272\303\037\232\3677\272!\322\304\007\206\2368\373\331o\306\177\254|\310\347\272\3769\027\354Z:\224s,\312\266g{;\364E\026\311|.+=s=\314%\337\330\370\312\323,\376\313{\241]?\351\373\b\317=\224n\3170\217\353\320\261\255lB\333CdD|\315\363*\371V\233\322\336]\323\320 \R\321\227\352\376\323bZ\321\321j\265\260\324K\264/\325J\207\232\323\315\203\230\324?\253\252\327|\371\217I\367\256AJ\023{\023\327\203Z&K||\2253d\005=\333C\317\356\333~\244\332\331\245\326&\332A\314\354\334V>\233\333\261\bM\334\021-\203\336\3673\273\334\330\216\232\337\324\234\bQ\240b\005\336m\275\344\340?Qw     m\267\340\342afcT\346\027\004\f\346R|\342&\232)V\223\266;Z\221\201'W\307\031,\344 \344\335\344b\342\\345\376\327"\3502p\210\350\030w\300\346/\023\002\3502\321\036\352\v\253\260_\365\       `Cub`\023\203\352a\022\363\231iS\341\033j\032\354\351b\357\311N\354W\372\031\355\346\1\356\r\217}\356A'\343\356\202%b\357\266\275\307\357+T\254\360lR+\361\336\266\303\361\342\350\017\362"\347\216\362o\254\204\363\320K'\363\260I\246\363\377L\341\363\211\263\344k^\3450l\334t\356\365*\331\206\366i\247\024\370s\200\312k\226\342Kx\353\002\347p)\\254\374fc\344\372H'^\375b\007Br\353\375{\376N\220\255\374\222a\206t\241v\352tt)8uwm\215v\242\355A\377" H=[190.42.187.64]:49322 I=[64.140.224.205]:25 NULL character(s) present (shown as '?')
    This is resulting in incredibly large log files that are actually causing some disk space concerns. Of course I could increase the amount of disk space available to /var, or I could change log rotation schedules. But I would like to find a more eloquent solution. My ideas are:

    • Exim logging tweak - configure the Exim logging facility in such a way as to not log errors when 'syntax errors' or 'too many unrecognized commands' is encountered. (Currently it is set to log_selector = +all)
    • Exim ACL - Build an ACL that says something like 'too many errors like the above, ban the IP'.

    Unfortunately, I do not know how to do either of these things, and the google searching I've done has not yielded results that I can easily comprehend. I've also gone through the Exim documentation on ACL's and there too I cannot quite grasp how to do either of these things.

    So I turn to you, cPanel community at large (and any cPanel techs that might stumble upon this). Would anyone be able to offer advice on how to accomplish either of the above, or perhaps offer an alternative solution to the problem?

    I thank you in advance for your time and consideration.
     
    #1 lshaw, Jul 10, 2013
    Last edited: Jul 10, 2013
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,674
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You could modify the "log_selector" entry in your Exim configuration to reduce the logging output. The following documentation may be helpful:

    Exim - Log Files

    On the above document, scroll to:

    15. Reducing or increasing what is logged

    One of the optional log items is "smtp_syntax_error".

    Thank you.
     
  3. lshaw

    lshaw Member

    Joined:
    May 24, 2007
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Well don't I feel silly. That worked perfectly, thank you very much for your help.
     
  4. nyoman

    nyoman Active Member

    Joined:
    Nov 25, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Thanks @cPanelMichael
    This is just to reduce exim_mainlog
    On my server, when i tail -f with putty i will got error in the putty

    PuTTYPuTTYPuTTYPuTTYPuTTY2013-08-28 17:28:14 SMTP connection from a10-34.xxxxxx [x.y.z.34]:46929 I=[198.x.y.z]:25 lost (error: Connection reset by peer)
    2013-08-28 1¡ÊÃ")14 SMTP call from [94.126.153.101]:61884 I=[198.x.y.z]:25 dropped: too many syntax or protocol errors (last command was "]
    f9MJÃ×öF®¶¼?

    And how to know if the ACL is working for this attack ?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,674
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This looks more like a case where a spammer is using too many commands at SMTP time with a mailer script. You may want to block the IP address making the connection in your firewall.

    Thank you.
     
  6. nyoman

    nyoman Active Member

    Joined:
    Nov 25, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    I can not block the IP manually sir :)
    There is many IP trying attack the server.

    Try using fail2ban but no luck.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,674
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to open a new thread in the "Security" forum here for additional advice, as this issue is a but different than the original topic on this thread.

    Thank you.
     
Loading...

Share This Page