Hello all,
I was frustrating with our Hosting support, they does not do anything with my problem (more then 7 days, just respond with "We are requesting the data center mitigate the attack.")
Ok, here is the problem.
My server was attacked on smtp/exim services, this make our mailserver busy and the "real" mailserver and our client sometimes got time out message, some email come too late, more then 25 minutes - 1 days (24h).
For temporary solution i was increase the smtp_accept_max = 200
On the exim_mainlog i was found many error, some of them is like this:
And OK, i found this link http://forums.cpanel.net/f43/exim-acl-block-buffer-overflow-attempts-353841.html that said my exim was not vulnerable. And i can hide the error message from the log.
But this is not prevent my server from the attacker. From the log i still found many error log like this:
Is there any way to block all those IP to connect to the server ?
For temporary i was block it use iptables;
for X in `grep "dropped: too many syntax or protocol errors" /var/log/exim_mainlog |cut -d'[' -f2 |cut -d']' -f1 |sort |uniq`; do iptables -A INPUT -s $X -p tcp --dport 25 -j DROP; done
I want something automatically, i was try fail2ban but i not very expert on perl or other language/scripting.
Thanks for your help
Nyoman
I was frustrating with our Hosting support, they does not do anything with my problem (more then 7 days, just respond with "We are requesting the data center mitigate the attack.")
Ok, here is the problem.
My server was attacked on smtp/exim services, this make our mailserver busy and the "real" mailserver and our client sometimes got time out message, some email come too late, more then 25 minutes - 1 days (24h).
For temporary solution i was increase the smtp_accept_max = 200
On the exim_mainlog i was found many error, some of them is like this:
Code:
2013-08-23 16:07:42 SMTP syntax error in "r\227`\363&\204\335\230u\261\377+\b[w\307\032\203\026\\024\374\3770\355\027\030\311\0039\263_\222\351.\371\2227\223\221gZ\257'\250\246\222\300\265Z\020Y\265\250t\361M\306\r\211\276\261Z p\233&\270\362\345\210Q\025m=\350\341"<\200\373<\323\030E\366\323\257\223\250\320H\202\227\037\337NM\036w\335\375\231\020Z\324\332\255\362\361sE\313\r\214\335<\371\330t\356\342\244\f\373\226"\245+\204\360;\021\006"\324\275?\247u\320\243k\004t\254\370\2414w\0034\313\031w\321\313g\333i\367[\255\376\356<\364\230\324\276%1\004\254\363\307\214\305D``\225\235n\277\236\267\005\215T\244&=>p\276\241\303\243UU\255o\355\372\024\350\3739}\005\036uU\3311\220o^S\234#\334\353\357I\372\200\363\220Z\033 \262\365\261m7)IFSA\341\267>\216x\252&\331\020\033\022&\250\364->@r\177\244\327\313\241o|\214\347\237\b\346\204\220\247X\353\0029\0334\344\322\247\316\271/;\363V\305\v\242Q_Q\030\353WZ\323l\356\003P\033\210\250\323\315\037}\366\351\265'\024\203M<\2243\346\206M4}\031\367\253\030\031E\020\261c\376\020Hy\037\254\336\307\321\250w8\275\365\016h\252\303\245\032\224\217=\202\022\277\326\234,Vo?Jq\b??\356\2362\360lCQ\241\350\334LXhto\337m\v\357\0375\246U\257\262;%\362\312\3264-\205\354\200\257\250\213\026g\233\2446T\366\271\321\036TE\257 NmO>\226\004\215y\240\v\354\017\2554\307+\305\314\247\264\202\322\366\366\327\376\006\024q\226[\223\333.\3046\225\314aM*f\313?b\376(hM\r\305\b\r.\332\217\301\304\026D#\\226\217\334\365\262c\374\346\275\002$$JPB\2743"\341\255\231\263\327I\216\233K\207\246\265\342\037AQR\277\275\347IQ\004\310\225q\304\017\361\205P\313>\236N=8\024\375-1O\251\243\333\352\202\237\361\002?\021Z\032U\026\311\267Dk\007O\255\302\312f7\241\266\177Ki\002\362H*\020\rn\2454!rm \274$\227\354S\326\240\272k\266V\271\[email protected]\205\233a\364\0024\322\337O\313\325\307\232c\305\025\377\373\264\021\264\253\200\307\262C\327\346\314\332\344\232Js\263\316\037\023>f\235*\020\227\373\246\205\234\Y\303\353Q\366\035\032D\017\220I''k\266\306?\376MQS\230\263W\353\337?\261\222\272\0220*\177h\254\303\312}H\344!?\024y\211\275C\022!\333\334\251Q\310\[email protected]\372DY\332\003?\[email protected]\302\007t9\214\240\366\203\35693\327\325\320M\361li\330\250\354?\313\2207\231\373}\0050_\2436G\367 \322^\320<\352\366N\216P\216\255\254\310B\206\310\340\332`\303\037|\0364\336"But this is not prevent my server from the attacker. From the log i still found many error log like this:
Code:
(n139';;H©°#j:13:15 SMTP call from host-87-75-193-31.dslgb.com [87.75.193.31]:20890 I=[198.x.y.z]:25 dropped: too many syntax or protocol errors (last command was ýü
-j
ìǾçVÒ
g5zH¬<©b·%0ñ;Ç&øÖ"[½óµÏL¡¨Ê@BÜݾYaDËÔrÆÚa zæ
Õ@Àæq¬Ê<ëæµ²æ b 4¹****Ôu")For temporary i was block it use iptables;
for X in `grep "dropped: too many syntax or protocol errors" /var/log/exim_mainlog |cut -d'[' -f2 |cut -d']' -f1 |sort |uniq`; do iptables -A INPUT -s $X -p tcp --dport 25 -j DROP; done
I want something automatically, i was try fail2ban but i not very expert on perl or other language/scripting.
Thanks for your help
Nyoman
