Re: [exim] Tools for SQL export to CDB

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Jeff Garzik at <-
MMJeff Garzik at ->
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Tools for SQL export to CDB
David Saez Padros wrote:

> Hi !!
>
>>> the problem with sqlite and also with dbm databases is that writing
>>> to the database locks all database (read/write) and only one process can
>>
>>
>> PostgreSQL handles that well enough that it is simply no longer a
>> factor. At least not for relatively slow changing stuff like mailer
>> settings.
>
>
> our problem here is that we use to suffer massive virus attacks and
> rejecting fast (as fast as possible) is the only way to survive that
> attacks.

Suggest you start Exim (and any other serious daemons) 'niced'
down, and put sshd at a higher priority. That insures you can
access and control the box even when it is running with its
tongue hanging out.

> The fastest way we find is to reject blacklisted ip's at
> connect with an automatic blacklisting system, so we choose the fastest
> database for reads.

'Faster' yet if you turn any purely IP-based blocking over to
the firewall, and don't hesitate to (temporarily) ban entire
/24's or such.

When a concentrated storm is coming at you from multiple IP's it
is almost certainly a Zombie farm, and is under 'management' (I
won't class a 'criminal mind' as *intelligent* management, but
wet-ware is involved).

> From our experience the system is very good even if
> we update the blacklist database only once a day. If the system is on a
> such attack and on heavy load the cdb rebuild could be avoided or made
> every hour.
>

ACK. But a roll-in / drop-later (by rule-number spans) ipfw, pf,
ipfilter.. whichever.. ruleset is *way* faster to deploy, and
much lighter on resources as well.

What we see more of is multiple-IP, same or small selection of,
HELO in bursts. A sure sign of a coordinated attack.

Exim's forward/reverse host/HELO lookups already cache results,
yet are highly dynamic, so need little help save perhaps a
REGEXP blocklist for the chronic offenders.

Enforcing sync, and NOT advertising pipelining also helps, (we
drop sync requirement later for the 'good folks'), along with
setting 'queue_only', limiting per-IP connections, a short delay
when all is less-than-satisfactory, etc.

Mind you - the attackers aren't in 'learning' mode, but have
usually been pre-programmed to NOT sit on a connection for very
long at all.

Exim has a lot of knobs for keeping the wolves at bay.


Bill






This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Tools for SQL export to CDBRe: [exim] Exim is listening on port 80->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)