SMTP attack on server ?

nyjimbo

• January 15, 2014 09:49

Right now we seem to be having an SMTP attack on one of our servers. We are getting connections from machines sending gibberish. After a short while the logs will show "dropped: too many syntax or protocol errors". It appears to be mostly coming from eastern Europe and parts of asia. I have added ranges of IP's to cphulkd and have added the same ranges to "Blacklisted SMTP IP addresses" inside exim configuration, saved the config and it restarted EXIM, but I am still seeing the same IPs or ips in those ranges attemption to send garbage to the server. for example a range will be "1.0.0.0/8" but we are still seeing the same "dropped" messages on say an ip like 1.170.4.3 which I think should really just be a quick 550 and a drop ? What am I doing wrong or what am I missing ? The server load is not too bad but they are using up all the smtp connections and nobody can connect or it takes many retries until they can. Is there something else I can do to stop this attack on the smtp port ? I am running CENTOS 6.3 x86_64 standard " WHM 11.40.1 (build 8) Thank you.

• 

  cPanelMichael

  • January 15, 2014 14:58

  Hello :) There is a thread on this topic at: Sustained Exim Attack Thank you.

  0
• 

  nyjimbo

  • January 15, 2014 15:46

  Thank you. It looks like we need to tighten things up with CSF and LFD.

  0
• 

  HostingH

  • January 16, 2014 16:29

  Hello, Add following in exim.conf #################### smtp_accept_max = 150 smtp_accept_max_per_connection = 12 smtp_accept_max_per_host = 4 #################### And, in csf.conf enable CONNLIMIT = "25;10" Note: Change values as per the attack. Thanks,

  0

Please sign in to leave a comment.