Re: [exim] Help with AUTH DDOS

Pàgina inicial
Delete this message
Reply to this message
Autor: Jasen Betts
Data:  
A: exim-users
Assumpte: Re: [exim] Help with AUTH DDOS
On 2019-06-24, mixed8e--- via Exim-users <exim-users@???> wrote:
> Hi, I have a server under a minor DDOS of AUTH guessing attacks. I
> installed fail2ban and tried to be conservative, allowing 50 AUTH guesses
> before banning an IP address. Unfortunately, the attack has too many bots
> and the server is under heavy load so I temporarily reduced the threshold
> to just a single AUTH failure before banning. I hope no users forget their
> passwords!
>
> It looks like fail2ban's default iptables integration does not drop
> connections that are already established, because I'm seeing a lot of
> fail2ban log lines stating "already banned" and also Exim log lines from
> suspect IP addresses with this:
>
> TCP/IP connection count = 161
>
> Eventually I would hope the connections will naturally drop and the ban
> will become more effective (empirically that seems to be happening).
> However, I'd like to ask for general opinions on the matter and one
> specific question:
>
> What would be the Exim setting to limit the number of TCP connections? Or
> is it a bad idea to limit connections like that? I do know at least one
> group of users of this server sit behind a single IP address, so the
> connection count for that IP address is very high. Does that mean I can't
> approach the problem from this angle? (short of whitelisting known
> addresses)


set smtp_accept_max_nonmail lower. this may inconvenience some users a
little and rset and helo are counted as nonmail IIRC..

alternatively in ACL_AUTH

  drop
    set acl_c_auth_count = ${eval: $acl_c_auth_count + 1}
    condition = ${if >{1}{$acl_c_auth_count }}
    message = "go away"


which will allow only one attept at auth per connect.



--
When I tried casting out nines I made a hash of it.