iscwf2014

Registered
Jun 19, 2014
3
0
1
cPanel Access Level
Root Administrator
Hello,
I've got a problem with some attacks on exim. There are many IPs that are opening a connection to the server and no communication after.

:
2016-03-15 12:32:08 SMTP connection from [`IP.IP.IP.IP`]:63997 (TCP/IP connection count = 24)
2016-03-15 12:32:18 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:63997 lost
2016-03-15 12:32:18 SMTP connection from [`IP.IP.IP.IP`]:64270 (TCP/IP connection count = 26)
2016-03-15 12:32:29 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:64270 lost
2016-03-15 12:32:29 SMTP connection from [`IP.IP.IP.IP`]:64532 (TCP/IP connection count = 27)
2016-03-15 12:32:40 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:64532 lost
2016-03-15 12:32:40 SMTP connection from [`IP.IP.IP.IP`]:64795 (TCP/IP connection count = 29)
2016-03-15 12:32:50 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:64795 lost
2016-03-15 12:32:50 SMTP connection from [`IP.IP.IP.IP`]:65060 (TCP/IP connection count = 31)
2016-03-15 12:33:01 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:65060 lost


Each of this IP is doing 1-5 connections and soon the limit is reached and no connection is allowed from anyware. The increasing "TCP/IP connection count" is not liniar and can stay for a few hours at 1-3, even If the above: connect+connection lost is happening
Most of the ips are in rbl, I've enabled RBL check and I've enabled ratelimit in exim for but no luck.

Does anyone know what the problem is ? I thought if a connection is made and after 10 sec is lost the counter should not increment. The 'attack' is not sustained, there are ~1 of this connections every 2-5 minutes, but the problem with max connection reached occurs every few hours.

Thank you
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello :)

Do you have a firewall management utility, such as CSF, installed to help block these attacks?

Thank you.