Re: [exim] Help with AUTH DDOS

Góra strony
Delete this message
Reply to this message
Autor: Antoine
Data:  
Dla: exim-users
Temat: Re: [exim] Help with AUTH DDOS


On 27/06/2019 09:12, mixed8e--- via Exim-users wrote:
>> On 2019-06-24, mixed8e--- via Exim-users <exim-users@???> wrote:
>>> Hi, I have a server under a minor DDOS of AUTH guessing attacks. I
>>> installed fail2ban and tried to be conservative, allowing 50 AUTH
>>> guesses
>>> before banning an IP address. Unfortunately, the attack has too many
>>> bots
>>> and the server is under heavy load so I temporarily reduced the
>>> threshold
>>> to just a single AUTH failure before banning. I hope no users forget
>>> their
>>> passwords!
>>>
>>> It looks like fail2ban's default iptables integration does not drop
>>> connections that are already established, because I'm seeing a lot of
>>> fail2ban log lines stating "already banned" and also Exim log lines from
>>> suspect IP addresses with this:
>>>
>>> TCP/IP connection count = 161
>>>
>>> Eventually I would hope the connections will naturally drop and the ban
>>> will become more effective (empirically that seems to be happening).
>>> However, I'd like to ask for general opinions on the matter and one
>>> specific question:
>>>
>>> What would be the Exim setting to limit the number of TCP connections?
>>> Or
>>> is it a bad idea to limit connections like that? I do know at least one
>>> group of users of this server sit behind a single IP address, so the
>>> connection count for that IP address is very high. Does that mean I
>>> can't
>>> approach the problem from this angle? (short of whitelisting known
>>> addresses)
>> set smtp_accept_max_nonmail lower. this may inconvenience some users a
>> little and rset and helo are counted as nonmail IIRC..
>>
>> alternatively in ACL_AUTH
>>
>>   drop
>>     set acl_c_auth_count = ${eval: $acl_c_auth_count + 1}
>>     condition = ${if >{1}{$acl_c_auth_count }}
>>     message = "go away"

>>
>> which will allow only one attept at auth per connect.
> Thanks Jeremy and Jasen. I've looked at some of the suggested settings but
> before I change anything I'm wondering if anyone can help me diagnose the
> situation to make sure I'm making changes that will have the needed
> effect.
>
> My fail2ban jail has banned thousands and thousands of IP addresses, but
> the system is still slow. There are two effects:
> 1. overall slowness of the machine, from ssh access, or loading web pages
> 2. SMTP service is the most affected, most slow (sometimes sending will
> time out)
>
> However, it appears that the number of connections is very reasonable.
> Does Exim have a reporting mechanism where I can get connection stats? I
> get different numbers from ss, netstat, lsof, /proc/net/sockstat,
> /proc/net/tcp, and whatever else I've tried. Some of the numbers are not
> very similar, so I don't know what to look for. Everything except some of
> the `ss -s`numbers makes it look as though the connection count to Exim is
> quite small.
>
> Could the slowness be the firewall so busy with the large volume of
> attempted connections even though most are dropped? `uptime` shows a
> fairly light load on the system, not too much wait (though it does pop up
> once in a while over 20% it's mostly under 10%). The only flaw with that
> idea, why would SMTP service be particularly affected more than other
> services?
>
> How could I hone in on the actual problem before fiddling with config knobs?
>
> Thanks--
>
>


You can also make exim listen on a second port and advertise AUTH only
on it, using something like:
server_advertise_condition = ${if and{ {def:tls_cipher}
{eq{$received_port}{$SECOND_PORT}}}}
in the authentication configuration.
In this case all the AUTH tentatives done on the standard port will be
rejected with the minimum of effort from your side.
And you can immediately and severely ban any such tentative using fail2ban.

The downside is that all your MUAs will have to reconfigure the port as
well.

A.