The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SMTP attack on server ?

Discussion in 'E-mail Discussions' started by nyjimbo, Jan 15, 2014.

  1. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Right now we seem to be having an SMTP attack on one of our servers. We are getting connections from machines sending gibberish. After a short while the logs will show "dropped: too many syntax or protocol errors".

    It appears to be mostly coming from eastern Europe and parts of asia.

    I have added ranges of IP's to cphulkd and have added the same ranges to "Blacklisted SMTP IP addresses" inside exim configuration, saved the config and it restarted EXIM, but I am still seeing the same IPs or ips in those ranges attemption to send garbage to the server.

    for example a range will be "1.0.0.0/8"
    but we are still seeing the same "dropped" messages on say an ip like 1.170.4.3 which I think
    should really just be a quick 550 and a drop ?

    What am I doing wrong or what am I missing ? The server load is not too bad but they are using up all the smtp connections and nobody can connect or it takes many retries until they can.

    Is there something else I can do to stop this attack on the smtp port ?

    I am running CENTOS 6.3 x86_64 standard – WHM 11.40.1 (build 8)

    Thank you.
     
    #1 nyjimbo, Jan 15, 2014
    Last edited: Jan 15, 2014
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Thank you. It looks like we need to tighten things up with CSF and LFD.
     
  3. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    73
    Likes Received:
    3
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    Add following in exim.conf

    ####################
    smtp_accept_max = 150
    smtp_accept_max_per_connection = 12
    smtp_accept_max_per_host = 4
    ####################

    And, in csf.conf enable

    CONNLIMIT = "25;10"

    Note: Change values as per the attack.

    Thanks,
     
Loading...

Share This Page