Re: [exim] Help with AUTH DDOS

Page principale
Supprimer ce message
Répondre à ce message
Auteur: mixed8e
Date:  
À: exim-users
Sujet: Re: [exim] Help with AUTH DDOS
> On 2019-06-24, mixed8e--- via Exim-users <exim-users@???> wrote:
>> Hi, I have a server under a minor DDOS of AUTH guessing attacks. I
>> installed fail2ban and tried to be conservative, allowing 50 AUTH
>> guesses
>> before banning an IP address. Unfortunately, the attack has too many
>> bots
>> and the server is under heavy load so I temporarily reduced the
>> threshold
>> to just a single AUTH failure before banning. I hope no users forget
>> their
>> passwords!
>>
>> It looks like fail2ban's default iptables integration does not drop
>> connections that are already established, because I'm seeing a lot of
>> fail2ban log lines stating "already banned" and also Exim log lines from
>> suspect IP addresses with this:
>>
>> TCP/IP connection count = 161
>>
>> Eventually I would hope the connections will naturally drop and the ban
>> will become more effective (empirically that seems to be happening).
>> However, I'd like to ask for general opinions on the matter and one
>> specific question:
>>
>> What would be the Exim setting to limit the number of TCP connections?
>> Or
>> is it a bad idea to limit connections like that? I do know at least one
>> group of users of this server sit behind a single IP address, so the
>> connection count for that IP address is very high. Does that mean I
>> can't
>> approach the problem from this angle? (short of whitelisting known
>> addresses)
>
> set smtp_accept_max_nonmail lower. this may inconvenience some users a
> little and rset and helo are counted as nonmail IIRC..
>
> alternatively in ACL_AUTH
>
>   drop
>     set acl_c_auth_count = ${eval: $acl_c_auth_count + 1}
>     condition = ${if >{1}{$acl_c_auth_count }}
>     message = "go away"

>
> which will allow only one attept at auth per connect.


Thanks Jeremy and Jasen. I've looked at some of the suggested settings but
before I change anything I'm wondering if anyone can help me diagnose the
situation to make sure I'm making changes that will have the needed
effect.

My fail2ban jail has banned thousands and thousands of IP addresses, but
the system is still slow. There are two effects:
1. overall slowness of the machine, from ssh access, or loading web pages
2. SMTP service is the most affected, most slow (sometimes sending will
time out)

However, it appears that the number of connections is very reasonable.
Does Exim have a reporting mechanism where I can get connection stats? I
get different numbers from ss, netstat, lsof, /proc/net/sockstat,
/proc/net/tcp, and whatever else I've tried. Some of the numbers are not
very similar, so I don't know what to look for. Everything except some of
the `ss -s`numbers makes it look as though the connection count to Exim is
quite small.

Could the slowness be the firewall so busy with the large volume of
attempted connections even though most are dropped? `uptime` shows a
fairly light load on the system, not too much wait (though it does pop up
once in a while over 20% it's mostly under 10%). The only flaw with that
idea, why would SMTP service be particularly affected more than other
services?

How could I hone in on the actual problem before fiddling with config knobs?

Thanks--