Skip to main content

Exim Syntax Attack Won't Stop

rligg
I have a server that has been experiencing an Exim Syntax Attack for over two weeks now. This week I have enabled csf to kill the ip after 2 syntax errors. It is working for sure. I even upped the ip database to 1500. The server is handling it fine. Just wondering how long these attacks can last before they go away? I'm surprised I only see several posts on this in the forum and nothing current.

Comments

5 comments

Date Votes
  • cPanelMichael
    Hello :) There is a thread on this here: Sustained Exim Attack Note much has changed as far as the methods used to handle the attack as far as I know. Thank you.
    0
  • rligg
    Yes this thread is old. CSF/LFD takes care of this now and it is working. But nothing will stop the attack, it just keeps going. I have to rotate the exim logs every day as to not fill up /var.
    0
  • quizknows
    Yeah, it's extremely annoying. I adjusted logrotate.d to rotate / compress the logs for me on servers under this attack. Not much else you can do other than try raising the limit on the number of IPs that CSF will block at once.
    0
  • rligg
    What did you put in to compress the files?
    0
  • quizknows
    This is assuming you have the file /etc/logrotate.d/exim My /etc/logrotate.d/exim file looks like this: /var/log/exim_mainlog { create 0640 mailnull mail compress postrotate /usr/bin/killall -HUP exim endscript } /var/log/exim_paniclog { missingok create 0640 mailnull mail compress postrotate /usr/bin/killall -HUP exim endscript } /var/log/exim_rejectlog { create 0640 mailnull mail compress postrotate /usr/bin/killall -HUP exim endscript }
    The "compress" setting gzips the rotated out logs. My main /etc/logrotate.conf has weekly set. You can either change that to daily (which would rotate all your system logs daily, not recommended), or you should be able to add the daily setting for exim_mainlog like this in /etc/logrotate.d/exim /var/log/exim_mainlog { create 0640 mailnull mail daily compress postrotate /usr/bin/killall -HUP exim endscript }
    logrotate has nice docs in the man page. You could also just set compress in the global /etc/logrotate.conf file, but settings in that file can be over-ridden by later included configs.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post