Thanks again quizknows. You are a god! 
Let-me try to understand.
1) Edit: in /etc/csf/regex.custom.pm add in the middle of the file:
2) Then in /etc/csf/csf.conf, set CUSTOM1_LOG to /var/log/exim_mainlog
3) Restart csf and ldf
Able to tail -f /var/log/lfd.log and watch as it starts blocking IP addresses
Is that?
On csf we have an option: I have it enabled
# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = 1
LF_EXIMSYNTAX_PERM = 1
And now, I have IP block limit 4999, and its working very fast without problems.
And again... thanks for the help.
(PS: do you believe that lot of udp 53 connections is because of this exim attack?)
I have this on my iftop now:
But if i press J... have a lot more... A LOT
Let-me try to understand.
1) Edit: in /etc/csf/regex.custom.pm add in the middle of the file:
Code:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\d+\D+\d+\D+\d+ \d+\D+\d+\D+\d+ SMTP call from \[(\d+\.\d+\.\d+\.\d+)\]:\d+ dropped: too many syntax or protocol errors/)) {
return ("Failed exim syntax from","$1","eximdosmatch","2","25,143","1");
}
3) Restart csf and ldf
Able to tail -f /var/log/lfd.log and watch as it starts blocking IP addresses
Is that?
On csf we have an option: I have it enabled
# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = 1
LF_EXIMSYNTAX_PERM = 1
And now, I have IP block limit 4999, and its working very fast without problems.
And again... thanks for the help.
(PS: do you believe that lot of udp 53 connections is because of this exim attack?)
I have this on my iftop now:
Code:
* :25 <=> 117.212.103.226:2555 0b 77b 19b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:4441 0b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:25353 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:49783 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:62799 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:33484 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:45476 0b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:28208 0b 60b 15b
* :53 <=> 61-220-4-100.HINET-IP.hinet.net:58775 0b 60b 15b
* :53 <=> nsm5.seed.net.tw:29904 236b 47b 12b
* :25 <=> nsc64.90.5-166.newsouth.net:62873 208b 42b 10b
* :25 <=> adsl.viettel.vn:21138 0b 38b 29b
* :80 <=> 178-223-238-6.dynamic.isp.telekom.rs:22315 0b 38b 29b
* :25 <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7342 192b 38b 10b
* :80 <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7334 192b 38b 10b
* :80 <=> static.vdc.vn:64852 0b 32b 8b
* :80 <=> baiduspider-180-76-5-66.crawl.baidu.co:43190 0b 0b 7.00kb
* :80 <=> baiduspider-180-76-5-184.crawl.baidu.c:45462 0b 0b 6.29kb
* :80 <=> baiduspider-180-76-5-87.crawl.baidu.co:25040 0b 0b 6.18kb
* :80 <=> baiduspider-180-76-5-156.crawl.baidu.c:25302 0b 0b 5.91kb
* :80 <=> crawl-66-249-66-104.googlebot.com:53018 0b 0b 1.49kb
* :2086 <=> 177.207.204.213.static.gvt.net.br:62892 0b 0b 345b
* :45288 <=> 199.83.134.69.ip.incapdns.net:80 0b 0b 317b
* :80 <=> p11202-ipngn201okidate.aomori.ocn.ne.j:54641 0b 0b 309b
* :45289 <=> 199.83.134.69.ip.incapdns.net:80 0b 0b 309b
* :80 <=> ppp-110-169-233-167.revip5.asianet.co.:65044 0b 0b 288b
* :80 <=> 115.132.161.100:60613 0b 0b 254b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:47100 0b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:1457 300b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:54987 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:13889 0b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:61389 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:21299 0b 60b 15b
* :53 <=> 61-220-8-131.HINET-IP.hinet.net:50622 0b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:58107 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:12636 300b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:6581 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:14682 0b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:33893 0b 60b 15b
* :53 <=> 61-220-4-120.HINET-IP.hinet.net:40199 0b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:40531 300b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:35178 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:65442 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:22863 300b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:33402 0b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:19103 0b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:59906 0b 60b 15b
* :53 <=> 61-220-8-198.HINET-IP.hinet.net:28916 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:7319 0b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:30352 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:47869 0b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:11234 0b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:42858 0b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:43604 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:49925 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:22648 300b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:44139 0b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:56657 0b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:36254 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:45378 0b 60b 15b
* :53 <=> 61-220-4-120.HINET-IP.hinet.net:23712 0b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:49019 0b 60b 15b
* :53 <=> 61-220-4-100.HINET-IP.hinet.net:26035 0b 60b 15b
* :53 <=> 61-220-5-44.HINET-IP.hinet.net:45472 300b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:51584 0b 60b 15b
* :53 <=> 61-220-10-122.HINET-IP.hinet.net:21437 300b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:24051 0b 60b 15b
* :53 <=> 61-220-8-62.HINET-IP.hinet.net:3926 0b 60b 15b
* :53 <=> 61-220-8-131.HINET-IP.hinet.net:11263 288b 58b 14b
* :143 <=> 189-105-104-55.user.veloxzone.com.br:59785 0b 83b 42b
* :80 <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7314 192b 77b 19b
* :80 <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7316 192b 77b 19b
* :80 <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7318 192b 77b 19b
* :25 <=> 77.28.143.217:17539 192b 77b 19b
* :80 <=> dynamic-ip-adsl-190.186.178.52.cotas.c:22492 0b 77b 19b
* :53 <=> 203.113.188.6:35416 0b 56b 14b
* :53 <=> 27.68.243.62:22013 0b 56b 14b
* :53 <=> 27.68.243.54:36814 0b 56b 14b
* :53 <=> 27.68.243.54:41963 0b 56b 14b
* :53 <=> 203.113.131.9:41424 0b 56b 14b
* :53 <=> 203.113.188.3:47519 0b 56b 14b
* :53 <=> 203.113.188.6:43733 0b 56b 14b
* :53 <=> nsm5.seed.net.tw:8843 256b 51b 13b
* :53 <=> nsm5.seed.net.tw:18288 0b 51b 13b
* :53 <=> nsm5.seed.net.tw:62021 0b 51b 13b
* :53 <=> nsm5.seed.net.tw:46979 0b 51b 13b
* :53 <=> nsm5.seed.net.tw:10281 0b 51b 13b
* :53 <=> nsm5.seed.net.tw:20515 0b 51b 13b
* :53 <=> nsm5.seed.net.tw:59044 0b 47b 12b
* :53 <=> 27.68.243.62:63890 0b 47b 12b
* :53 <=> 27.68.243.54:45816 0b 47b 12b
* :53 <=> nsm5.seed.net.tw:29904 236b 47b 12b
* :25 <=> nsc64.90.5-166.newsouth.net:62873 208b 42b 10b
* :25 <=> adsl.viettel.vn:21138 0b 38b 29b
* :80 <=> 178-223-238-6.dynamic.isp.telekom.rs:22315 0b 38b 29b
* :25 <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7342 192b 38b 10b
* :80 <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7334 192b 38b 10b
* :80 <=> static.vdc.vn:64852 0b 32b 8b
* :80 <=> baiduspider-180-76-5-66.crawl.baidu.co:43190 0b 0b 7.00kb
* :80 <=> baiduspider-180-76-5-184.crawl.baidu.c:45462 0b 0b 6.29kb
* :80 <=> baiduspider-180-76-5-87.crawl.baidu.co:25040 0b 0b 6.18kb
* :80 <=> baiduspider-180-76-5-156.crawl.baidu.c:25302 0b 0b 5.91kb
* :80 <=> crawl-66-249-66-104.googlebot.com:53018 0b 0b 1.49kb
* :2086 <=> 177.207.204.213.static.gvt.net.br:62892 0b 0b 345b
* :45288 <=> 199.83.134.69.ip.incapdns.net:80 0b 0b 317b
* :80 <=> p11202-ipngn201okidate.aomori.ocn.ne.j:54641 0b 0b 309b
* :45289 <=> 199.83.134.69.ip.incapdns.net:80 0b 0b 309b
* :80 <=> ppp-110-169-233-167.revip5.asianet.co.:65044 0b 0b 288b
* :80 <=> 115.132.161.100:60613 0b 0b 254b