Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim DDOS problem

Discussion in 'Security' started by iscwf2014, Mar 15, 2016.

  1. iscwf2014

    iscwf2014 Registered

    Joined:
    Jun 19, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,
    I've got a problem with some attacks on exim. There are many IPs that are opening a connection to the server and no communication after.

    :
    2016-03-15 12:32:08 SMTP connection from [`IP.IP.IP.IP`]:63997 (TCP/IP connection count = 24)
    2016-03-15 12:32:18 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:63997 lost
    2016-03-15 12:32:18 SMTP connection from [`IP.IP.IP.IP`]:64270 (TCP/IP connection count = 26)
    2016-03-15 12:32:29 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:64270 lost
    2016-03-15 12:32:29 SMTP connection from [`IP.IP.IP.IP`]:64532 (TCP/IP connection count = 27)
    2016-03-15 12:32:40 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:64532 lost
    2016-03-15 12:32:40 SMTP connection from [`IP.IP.IP.IP`]:64795 (TCP/IP connection count = 29)
    2016-03-15 12:32:50 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:64795 lost
    2016-03-15 12:32:50 SMTP connection from [`IP.IP.IP.IP`]:65060 (TCP/IP connection count = 31)
    2016-03-15 12:33:01 SMTP connection from `hostname_IP` [IP.IP.IP.IP]:65060 lost


    Each of this IP is doing 1-5 connections and soon the limit is reached and no connection is allowed from anyware. The increasing "TCP/IP connection count" is not liniar and can stay for a few hours at 1-3, even If the above: connect+connection lost is happening
    Most of the ips are in rbl, I've enabled RBL check and I've enabled ratelimit in exim for but no luck.

    Does anyone know what the problem is ? I thought if a connection is made and after 10 sec is lost the counter should not increment. The 'attack' is not sustained, there are ~1 of this connections every 2-5 minutes, but the problem with max connection reached occurs every few hours.

    Thank you
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,080
    Likes Received:
    1,363
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    Do you have a firewall management utility, such as CSF, installed to help block these attacks?

    Thank you.
     
Loading...

Share This Page