Re: [exim] Tools for SQL export to CDB

Startseite
Nachricht löschen
Nachricht beantworten
Autor: W B Hacker
Datum:  
To: exim users
Betreff: Re: [exim] Tools for SQL export to CDB
David Saez Padros wrote:

> Hi !!
>
>>> the problem with sqlite and also with dbm databases is that writing
>>> to the database locks all database (read/write) and only one process can
>>
>>
>> PostgreSQL handles that well enough that it is simply no longer a
>> factor. At least not for relatively slow changing stuff like mailer
>> settings.
>
>
> our problem here is that we use to suffer massive virus attacks and
> rejecting fast (as fast as possible) is the only way to survive that
> attacks.


Suggest you start Exim (and any other serious daemons) 'niced'
down, and put sshd at a higher priority. That insures you can
access and control the box even when it is running with its
tongue hanging out.

> The fastest way we find is to reject blacklisted ip's at
> connect with an automatic blacklisting system, so we choose the fastest
> database for reads.


'Faster' yet if you turn any purely IP-based blocking over to
the firewall, and don't hesitate to (temporarily) ban entire
/24's or such.

When a concentrated storm is coming at you from multiple IP's it
is almost certainly a Zombie farm, and is under 'management' (I
won't class a 'criminal mind' as *intelligent* management, but
wet-ware is involved).

> From our experience the system is very good even if
> we update the blacklist database only once a day. If the system is on a
> such attack and on heavy load the cdb rebuild could be avoided or made
> every hour.
>


ACK. But a roll-in / drop-later (by rule-number spans) ipfw, pf,
ipfilter.. whichever.. ruleset is *way* faster to deploy, and
much lighter on resources as well.

What we see more of is multiple-IP, same or small selection of,
HELO in bursts. A sure sign of a coordinated attack.

Exim's forward/reverse host/HELO lookups already cache results,
yet are highly dynamic, so need little help save perhaps a
REGEXP blocklist for the chronic offenders.

Enforcing sync, and NOT advertising pipelining also helps, (we
drop sync requirement later for the 'good folks'), along with
setting 'queue_only', limiting per-IP connections, a short delay
when all is less-than-satisfactory, etc.

Mind you - the attackers aren't in 'learning' mode, but have
usually been pre-programmed to NOT sit on a connection for very
long at all.

Exim has a lot of knobs for keeping the wolves at bay.


Bill