On a number of occassions I've had my server DOS'd because of a number of
incoming connections hanging and then getting hundreds of the following entry
in my logs (different IP's)
/var/log/exim/main.log-20131215:2013-12-13 19:08:15 Connection from
[85.137.122.107] refused: too many connections
If I look at exiwhat I see things like
29719 handling incoming connection from mail.orovia.com [109.108.128.13]
hanging around for long periods. In the case of the above IP address, the
connections did not close, then multiple connections used up multiple
connections hence the DOS.
I now block that IP on my server using the acl_smtp_connect ACL. which has
stopped the DOS attack, but while I've been monitoring the server I have seen
a number of IP's that sit there for much longer than they should. I have
reduced smtp_receive_timeout to 4m which is probably how long these
connections are staying open.
My questions are:
1) is there a way to catch these time-outs so that the offending IP address
can be recorded?
2) Is there a way to time how long a message takes? If possible, timing
seperate stages of the delivery?
I currently have a manually maintained file /etc/exim/ip_blacklist.lst which
gets checked as part of the acl_smtp_connect ACL.
I am looking to have exim maintain a SQL table adding enties for offending IPs
--
Gary Stainburn
Group I.T. Manager
Ringways Garages
http://www.ringways.co.uk
