Re: [exim] Tools for SQL export to CDB

Startseite
Nachricht löschen
Nachricht beantworten
Autor: David Saez Padros
Datum:  
CC: exim users
Betreff: Re: [exim] Tools for SQL export to CDB
Hi !!

>> our problem here is that we use to suffer massive virus attacks and
>> rejecting fast (as fast as possible) is the only way to survive that
>> attacks.
>
> Suggest you start Exim (and any other serious daemons) 'niced' down, and
> put sshd at a higher priority. That insures you can access and control
> the box even when it is running with its tongue hanging out.


That's not the problem, the problem is that normal mail should work
well also in that conditions, rejecting fast and limiting resources
for no authenticated users and non whitelisted hosts is what it helps.
Exim resource usage could be well controlled without the need to nice it

> 'Faster' yet if you turn any purely IP-based blocking over to the
> firewall, and don't hesitate to (temporarily) ban entire /24's or such.


blocking /24 is not feasible as it will also block whitelisted hosts

> ACK. But a roll-in / drop-later (by rule-number spans) ipfw, pf,
> ipfilter.. whichever.. ruleset is *way* faster to deploy, and much
> lighter on resources as well.


mmm.... i never tried to add 400000 ip addresses to ipfilter ...
BTW i prefer to reject using exim as i could give a descriptive error
message whith a link to request removal from the blacklist as from
time to time it catches some 'legal' mailserver.

> Exim's forward/reverse host/HELO lookups already cache results, yet are
> highly dynamic, so need little help save perhaps a REGEXP blocklist for
> the chronic offenders.


that's the kind of rules we use to auto-blacklist

> Enforcing sync, and NOT advertising pipelining also helps, (we drop sync
> requirement later for the 'good folks'), along with setting
> 'queue_only', limiting per-IP connections, a short delay when all is
> less-than-satisfactory, etc.


we use all of it except delaying which only makes exim grow it's number
of process.

> Mind you - the attackers aren't in 'learning' mode, but have usually
> been pre-programmed to NOT sit on a connection for very long at all.


no, but they repeat many times a day during some days

--
Best regrads ...

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       e-mail  david@???
    Pintor Vayreda 1                 telf    +34 902 50 29 75
    08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------