The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim DDOS problem

Discussion in 'Security' started by iscwf2014, Mar 15, 2016.

  1. iscwf2014

    iscwf2014 Registered

    Joined:
    Jun 19, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,
    I've got a problem with some attacks on exim. There are many IPs that are opening a connection to the server and no communication after.

    :
    2016-03-15 12:32:08 SMTP connection from [`IP.IP.IP.IP`]:63997 (TCP/IP connection count = 24)
    2016-03-15 12:32:18 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:63997 lost
    2016-03-15 12:32:18 SMTP connection from [`IP.IP.IP.IP`]:64270 (TCP/IP connection count = 26)
    2016-03-15 12:32:29 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:64270 lost
    2016-03-15 12:32:29 SMTP connection from [`IP.IP.IP.IP`]:64532 (TCP/IP connection count = 27)
    2016-03-15 12:32:40 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:64532 lost
    2016-03-15 12:32:40 SMTP connection from [`IP.IP.IP.IP`]:64795 (TCP/IP connection count = 29)
    2016-03-15 12:32:50 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:64795 lost
    2016-03-15 12:32:50 SMTP connection from [`IP.IP.IP.IP`]:65060 (TCP/IP connection count = 31)
    2016-03-15 12:33:01 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:65060 lost


    Each of this IP is doing 1-5 connections and soon the limit is reached and no connection is allowed from anyware. The increasing "TCP/IP connection count" is not liniar and can stay for a few hours at 1-3, even If the above: connect+connection lost is happening
    Most of the ips are in rbl, I've enabled RBL check and I've enabled ratelimit in exim for but no luck.

    Does anyone know what the problem is ? I thought if a connection is made and after 10 sec is lost the counter should not increment. The 'attack' is not sustained, there are ~1 of this connections every 2-5 minutes, but the problem with max connection reached occurs every few hours.

    Thank you
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page