Getting SLAMMED on port 25

[shortfork]

Over the past month, I've had some nasty connections to port 25 which bring the server load up into the 50's and higher..

Once I find the offending IP, I just drop it into apf -d and load comes down instantly. Am I missing something with apf, shouldn't it be auto blocking when one IP attempts a ton of connections to a given port? Can I do this with port 25?

Also, what to heck could the visitor be doing that ties up so many resources on port 25? I've got the box locked down petty well, all the standard tweeks to keep it as safe as possible... but I think I'm missing something if one single atacker can drag the box down do deeply with one port slam..

HELP!

Shortz

 

[Eric]

Howdy,

I can make some guesses but it would be better to get some logs for when this happens. It sounds malicious but I'd like to be sure before guessing.

Thanks!

 

[shortfork]

Howdy,

I can make some guesses but it would be better to get some logs for when this happens. It sounds malicious but I'd like to be sure before guessing.

Thanks!

Thanks Eric, I'd assume we'd be looking in the exim logs.. It's been a few days since it last happened, I'm trying to figure out Chirpy's firewall system. I'd just have him install it and check the box but he's a victim of his success... too busy right now to do it!!

Anyway, LOVE cPanel but would really like to see a firaccessiblessable via the cPanel interface.. THAT would be the Dog's B's!

 

[quizknows]

I don't know about APF, but CSF has a CT_LIMIT which will block IP's with more than $NUM connections. This could likely help you. I highly recommend the switch from APF to CSF, as CSF has a good built-in login failure daemon (LFD), can block for mod_security triggers, and can be managed via WHM.