The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim Syntax Attack Won't Stop

Discussion in 'Security' started by rligg, Apr 22, 2014.

  1. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    I have a server that has been experiencing an Exim Syntax Attack for over two weeks now. This week I have enabled csf to kill the ip after 2 syntax errors. It is working for sure. I even upped the ip database to 1500. The server is handling it fine. Just wondering how long these attacks can last before they go away? I'm surprised I only see several posts on this in the forum and nothing current.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    Yes this thread is old. CSF/LFD takes care of this now and it is working. But nothing will stop the attack, it just keeps going. I have to rotate the exim logs every day as to not fill up /var.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Yeah, it's extremely annoying. I adjusted logrotate.d to rotate / compress the logs for me on servers under this attack.

    Not much else you can do other than try raising the limit on the number of IPs that CSF will block at once.
     
  5. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    What did you put in to compress the files?
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This is assuming you have the file /etc/logrotate.d/exim

    My /etc/logrotate.d/exim file looks like this:

    Code:
    /var/log/exim_mainlog {
        create 0640 mailnull mail
        compress
        postrotate
        /usr/bin/killall -HUP exim
        endscript
    }
    /var/log/exim_paniclog {
        missingok
        create 0640 mailnull mail
        compress
        postrotate
        /usr/bin/killall -HUP exim
        endscript
    }
    /var/log/exim_rejectlog {
        create 0640 mailnull mail
        compress
        postrotate
        /usr/bin/killall -HUP exim
        endscript
    }
    
    The "compress" setting gzips the rotated out logs. My main /etc/logrotate.conf has weekly set. You can either change that to daily (which would rotate all your system logs daily, not recommended), or you should be able to add the daily setting for exim_mainlog like this in /etc/logrotate.d/exim

    Code:
    /var/log/exim_mainlog {
        create 0640 mailnull mail
        daily
        compress
        postrotate
        /usr/bin/killall -HUP exim
        endscript
    }
    
    logrotate has nice docs in the man page. You could also just set compress in the global /etc/logrotate.conf file, but settings in that file can be over-ridden by later included configs.
     
    #6 quizknows, Apr 25, 2014
    Last edited: Apr 25, 2014
Loading...

Share This Page