The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim system getting DDOSed, need some quick advice.

Discussion in 'Security' started by jols, Aug 31, 2012.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Hi folks,

    I should know this but I don't

    For the past few days, our email system has received a very bad DDOS attack. At this point we are quite desperate.

    It's just a simple question, all I need is advice simple advice it would seem. Thanks very much.

    ---------------
    Regarding exim_mainlog entries like this:

    2012-08-31 15:54:18 SMTP connection from [64.132.92.169]:36391 (TCP/IP connection count = 144)
    2012-08-31 15:54:19 SMTP connection from [65.25.104.113]:55800 (TCP/IP connection count = 145)
    2012-08-31 15:54:19 SMTP connection from [216.27.86.177]:36975 (TCP/IP connection count = 146)
    2012-08-31 15:54:19 SMTP connection from [173.231.139.1]:45551 (TCP/IP connection count = 147)

    Obviously we have inbound connections to the email system on high number ports, e.g. 36391, 55800, 36975 and so on. But I have configured our CSF firewall NOT to open any such ports. So how are they even able to perform SMTP connections on such ports?

    Seems to me that legitimate traffic would use port 25 to send email, and 110 to receive, and the IMAP port 143 (disregarding the secure email ports for the sake of discussion).

    So, is there any way of blocking, or switching off these high number port connects to SMTP while allowing regular legitimate connections to the email system?
     
  2. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I'm trying to figure out how to implement the following in exim.conf, but so far it does not seem to do any good:

    smtp_accept_max_per_host = 3
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Are you able to connect on those ports from a remote system? If not, I don't know how to answer the question, since it seems unlikely they could be connecting on such ports if you cannot.

    Depending on what state they are when trying the connection, it might not ever make it to the state of being rejected by exim. Some connection states never try a full connection but purposely try to just cause a denial of service in a SYN_RECV state. In such instances, the best way to handle these would be with your datacenter, NOC or provider to filter them at the network level.
     
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    The odd thing is, when this was occuring the number of active exim processes that I could see in ps -ef | grep exim where literally through the roof. So apparently THEY were able to connect.
     
  5. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    WHM >> Service Configuration >> Exim Configuration Manager >> Advanced Editor

    If this option is not already there you need to click "Add additional configuration setting" button.

    Put the values in their respective boxes.

    You can set:
    • smtp_accept_max_per_host = 3
    • smtp_accept_max = 20

    This should do the trick.
     
  6. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks much for the reply.

    Indeed I tried exactly what you suggested, but it did not take/work. Exim continued to be pounded. The number of connects from remote hosts stayed in the 70 to 90 range for quite a long time, i.e. 48 hours or so, after I tried this.
     
  7. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Did this get resolved?
     
Loading...

Share This Page