[exim] Help with AUTH DDOS

Pàgina inicial
Delete this message
Reply to this message
Autor: mixed8e
Data:  
A: exim-users
Assumpte: [exim] Help with AUTH DDOS
Hi, I have a server under a minor DDOS of AUTH guessing attacks. I
installed fail2ban and tried to be conservative, allowing 50 AUTH guesses
before banning an IP address. Unfortunately, the attack has too many bots
and the server is under heavy load so I temporarily reduced the threshold
to just a single AUTH failure before banning. I hope no users forget their
passwords!

It looks like fail2ban's default iptables integration does not drop
connections that are already established, because I'm seeing a lot of
fail2ban log lines stating "already banned" and also Exim log lines from
suspect IP addresses with this:

TCP/IP connection count = 161

Eventually I would hope the connections will naturally drop and the ban
will become more effective (empirically that seems to be happening).
However, I'd like to ask for general opinions on the matter and one
specific question:

What would be the Exim setting to limit the number of TCP connections? Or
is it a bad idea to limit connections like that? I do know at least one
group of users of this server sit behind a single IP address, so the
connection count for that IP address is very high. Does that mean I can't
approach the problem from this angle? (short of whitelisting known
addresses)