SMTP attack on server ?

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
Right now we seem to be having an SMTP attack on one of our servers. We are getting connections from machines sending gibberish. After a short while the logs will show "dropped: too many syntax or protocol errors".

It appears to be mostly coming from eastern Europe and parts of asia.

I have added ranges of IP's to cphulkd and have added the same ranges to "Blacklisted SMTP IP addresses" inside exim configuration, saved the config and it restarted EXIM, but I am still seeing the same IPs or ips in those ranges attemption to send garbage to the server.

for example a range will be "1.0.0.0/8"
but we are still seeing the same "dropped" messages on say an ip like 1.170.4.3 which I think
should really just be a quick 550 and a drop ?

What am I doing wrong or what am I missing ? The server load is not too bad but they are using up all the smtp connections and nobody can connect or it takes many retries until they can.

Is there something else I can do to stop this attack on the smtp port ?

I am running CENTOS 6.3 x86_64 standard – WHM 11.40.1 (build 8)

Thank you.
 
Last edited:

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
Thank you. It looks like we need to tighten things up with CSF and LFD.
 

HostingH

Well-Known Member
Jan 13, 2008
125
17
68
cPanel Access Level
Root Administrator
Hello,

Add following in exim.conf

####################
smtp_accept_max = 150
smtp_accept_max_per_connection = 12
smtp_accept_max_per_host = 4
####################

And, in csf.conf enable

CONNLIMIT = "25;10"

Note: Change values as per the attack.

Thanks,