The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I am getting hit with a distributed dictionay email attack

Discussion in 'E-mail Discussions' started by EdRooney, Dec 14, 2004.

Thread Status:
Not open for further replies.
  1. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    I am getting hit with a distributed dictionay email attack

    I installed the anti-dictionary attack software but it just keeps coming from new IPs

    # cat /etc/exim_deny | uniq | wc -l
    1058

    Its been running about an hour now and is still increasing.

    What should I do?

    Is it good to block that many ips? Will that slow down delivery of regular mail?
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Meaning the one that Chirpy provides?
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That number should be fine. So long as you have installed the recommended hourly cron job it will rotate the IP addresses. You're likely to have a far greater load on your server if you didn't have the ACL in place.
     
  4. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    Is that a lot? Have you seen more than 1000 ips blocked per hour before?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yes. I have a server that at one time was getting around 3000 attacks an hour. It was the reason I wrote the ACL in the first place.
     
  6. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    Cool, how many does that server get now?
     
  7. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    1. How did you know you was under this type of attack?
    2. Considering so many IP's are being blocked, would it be a good idea to unblock the ips in a few months or so considering some of those ip's may have been dynamic or spoofed?

    Thank you in advance for your replies.
     
  8. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    1. How did you know you was under this type of attack?
    >>I watched the exim main log

    2. Considering so many IP's are being blocked, would it be a good idea to unblock the ips in a few months or so considering some of those ip's may have been dynamic or spoofed?
    >>It depends, if they are dynamically generated, in a few months it is quite possible to have legimate people or quite possiably the entire internet blocked.

    I am thinking of keeping them blocked for few days.
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    My dictionary attack ACL unblocks the IP's within an hour (depending on how often you have thge file rotated via the cron job) since, as you say, they're mostly dynamic. It's highly unlikely that the IP addresses were spoofed, but that's neither here nor there.

    I just checked and that server only gets the normal number now (10-20 an hour) so they've been seen off for now ;)
     
  10. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    You rule!!! Chirpy for president!
     
  11. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Better nominate him for Prime Minister instead. ;)
     
  12. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    You really shouldn't be accepting mail from dynamic ips anyways... so I don't see that as a concern? Spoofed ips could be a problem though.

    Or is the block rule added to iptables without specifiying a port (ie 25) so it would then block http as well?
     
  13. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    How do I block spoofed IPs? I'm at over 15,000 and rapidly increasing

    # cat exim_deny | wc -l
    15437
     
  14. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    How long does it take beofre the dictionary attackers realize they are blocked and move on to someone elses domain?
     
  15. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Sometimes.. weeks.

    The point of the dictionary attack is to limit the number of useless messages flowing to the inbox.. its up you you as an admin to deal with it as you see fit. They'll still hammer the server ( thats what they're trying to do ).
     
  16. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Actually, there are a couple settings you can do to help the OS recognize and reject packets from spoofed ips... you'll have to search this forum and possibly google to find them though.

    I think putting

    ALL: PARANOID

    into /etc/hosts.deny is one way... but I'm not real positive on that, or exactly what that does, so look it up first.
     
  17. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    why you don't simply change the mx record of the domain name under attack with one of these ips ?
     
  18. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Please be more careful - this is a 2 year old thread.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page