Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SMTP attack on server ?

Discussion in 'E-mail Discussion' started by nyjimbo, Jan 15, 2014.

  1. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,131
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    Right now we seem to be having an SMTP attack on one of our servers. We are getting connections from machines sending gibberish. After a short while the logs will show "dropped: too many syntax or protocol errors".

    It appears to be mostly coming from eastern Europe and parts of asia.

    I have added ranges of IP's to cphulkd and have added the same ranges to "Blacklisted SMTP IP addresses" inside exim configuration, saved the config and it restarted EXIM, but I am still seeing the same IPs or ips in those ranges attemption to send garbage to the server.

    for example a range will be "1.0.0.0/8"
    but we are still seeing the same "dropped" messages on say an ip like 1.170.4.3 which I think
    should really just be a quick 550 and a drop ?

    What am I doing wrong or what am I missing ? The server load is not too bad but they are using up all the smtp connections and nobody can connect or it takes many retries until they can.

    Is there something else I can do to stop this attack on the smtp port ?

    I am running CENTOS 6.3 x86_64 standard – WHM 11.40.1 (build 8)

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 nyjimbo, Jan 15, 2014
    Last edited: Jan 15, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,855
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,131
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    Thank you. It looks like we need to tighten things up with CSF and LFD.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    125
    Likes Received:
    17
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Hello,

    Add following in exim.conf

    ####################
    smtp_accept_max = 150
    smtp_accept_max_per_connection = 12
    smtp_accept_max_per_host = 4
    ####################

    And, in csf.conf enable

    CONNLIMIT = "25;10"

    Note: Change values as per the attack.

    Thanks,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice