[exim] Re: smtp_accept_max & DDoS

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Andrew C Aitchison
Fecha:  
A: Cyborg
Cc: exim-users
Asunto: [exim] Re: smtp_accept_max & DDoS
7On Sat, 13 May 2023, Cyborg via Exim-users wrote:

> It's easy to detect if someone if blocking your exim:
>
> Loop over :
>
> 1. Getting all ID-Tripples
>
> netstat -lnap | grep exim | grep <INSERT WORD CONNECTED IN YOUR SYSLANG
> HERE>   | awk '{print $5":"$7;}' | sed -e "s/\/exim//g"
>
> 87.123.20.215:36858:1127858
> 87.123.20.215:36834:1127839
> 87.123.20.215:36844:1127849
>
> You now have the identifing tripple, it's highly unlikely, next to
> impossible to get the same tripple of ip:port:processid again.


I think those three values are all available within exim.
Since the issue is after a failed auth, can you do something
with them after an appropriate test in the auth acl ?
Possibilities include:
1. logging, and having a reaper daemon watching the logs
and killing any of these processes that survive a delay.
2. using ${run} or exim's perl process to start a script
which delays snd then kills the pid.

> 2. Check them against a HASH with the tripple as key and a timestamp as
> value
>
> 3. if tripple is not in hash , put in with now() as timestamp
>     if tripple is in hash, check if timestamp is xxx seconds old, end exim
> with "kill $pid" and "iptables -A smtpattacker -s $IP -j DROP"
>
> 4. if you find tripples in the hash, that are not in the actual set of
> tripples from step 1 , remove them from hash.
>
> 5. Sleep 10s
>
> End Loop
>
> I suggest to choose your timeout for the kill wisely, as some servers send
> a big chunk of data slow as hell, but a reasonable amount would be 30s.
> In addition, the netstat output could give out, if any data is in the
> connection buffer as an indicator that the host as send real data as an
> indication for a valid connection attempt.


By logging or triggering this in an ACL and only when the problem occurs
we avoid the case of slow but valid incoming connections.

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/