[exim] Re: smtp_accept_max & DDoS

Pàgina inicial
Delete this message
Reply to this message
Autor: Slavko
Data:  
A: exim-users
Assumpte: [exim] Re: smtp_accept_max & DDoS
Dňa 12. mája 2023 4:07:51 UTC používateľ Lena--- via Exim-users <exim-users@???> napísal:

>How do you know that connection is held open and timeout happens?


From logs, eg:

    2023-05-12 00:45:57 H=[52.176.51.76] Connected CC=US con=1
    2023-05-12 00:46:06 dovecot_login authenticator failed for ([52.176.51.76]) [52.176.51.76]: 535 Incorrect authentication data (set_id=...)
    2023-05-12 00:47:06 SMTP command timeout on TLS connection from ([52.176.51.76]) [52.176.51.76]
    2023-05-12 00:47:06 H=[52.176.51.76] NotQ command-timeout CC=US EHLO,AUTH

And confirmed by netstat, when i am lucky to watch it
in that time...

>I seldom see that in my logs.
>During last 30 days I see (logged in notquit ACL)
>3867 connection-lost and 63 command-timeout events


My numbers/ratio are opposite.

I initially blame my FW, which block these attempts, but
some time ago i moved that rule after ESTABLISHED accept
without significant ratio change, thus seems that FW is/was
not root of problems...

BTW, i have simillar ACL to drop on second login after
failed one (on the same connection), but these second
attempts are very rare here...

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/