On 2019-06-24, mixed8e--- via Exim-users <exim-users@???> wrote:
> Hi, I have a server under a minor DDOS of AUTH guessing attacks. I
> installed fail2ban and tried to be conservative, allowing 50 AUTH guesses
> before banning an IP address. Unfortunately, the attack has too many bots
> and the server is under heavy load so I temporarily reduced the threshold
> to just a single AUTH failure before banning. I hope no users forget their
> passwords!
>
> It looks like fail2ban's default iptables integration does not drop
> connections that are already established, because I'm seeing a lot of
> fail2ban log lines stating "already banned" and also Exim log lines from
> suspect IP addresses with this:
>
> TCP/IP connection count = 161
>
> Eventually I would hope the connections will naturally drop and the ban
> will become more effective (empirically that seems to be happening).
> However, I'd like to ask for general opinions on the matter and one
> specific question:
>
> What would be the Exim setting to limit the number of TCP connections? Or
> is it a bad idea to limit connections like that? I do know at least one
> group of users of this server sit behind a single IP address, so the
> connection count for that IP address is very high. Does that mean I can't
> approach the problem from this angle? (short of whitelisting known
> addresses)
set smtp_accept_max_nonmail lower. this may inconvenience some users a
little and rset and helo are counted as nonmail IIRC..
alternatively in ACL_AUTH
drop
set acl_c_auth_count = ${eval: $acl_c_auth_count + 1}
condition = ${if >{1}{$acl_c_auth_count }}
message = "go away"
which will allow only one attept at auth per connect.
--
When I tried casting out nines I made a hash of it.
