David Saez Padros wrote:
Hi !!
the problem with sqlite and also with dbm databases is that writing
to the database locks all database (read/write) and only one process can
PostgreSQL handles that well enough that it is simply no longer a
factor. At least not for relatively slow changing stuff like mailer
settings.
our problem here is that we use to suffer massive virus attacks and
rejecting fast (as fast as possible) is the only way to survive that
attacks.
Suggest you start Exim (and any other serious daemons) 'niced'
down, and put sshd at a higher priority. That insures you can
access and control the box even when it is running with its
tongue hanging out.
The fastest way we find is to reject blacklisted ip's at
connect with an automatic blacklisting system, so we choose the fastest
database for reads.
'Faster' yet if you turn any purely IP-based blocking over to
the firewall, and don't hesitate to (temporarily) ban entire
/24's or such.
When a concentrated storm is coming at you from multiple IP's it
is almost certainly a Zombie farm, and is under 'management' (I
won't class a 'criminal mind' as *intelligent* management, but
wet-ware is involved).
> From our experience the system is very good even if
we update the blacklist database only once a day. If the system is on a
such attack and on heavy load the cdb rebuild could be avoided or made
every hour.
ACK. But a roll-in / drop-later (by rule-number spans) ipfw, pf,
ipfilter.. whichever.. ruleset is *way* faster to deploy, and
much lighter on resources as well.
What we see more of is multiple-IP, same or small selection of,
HELO in bursts. A sure sign of a coordinated attack.
Exim's forward/reverse host/HELO lookups already cache results,
yet are highly dynamic, so need little help save perhaps a
REGEXP blocklist for the chronic offenders.
Enforcing sync, and NOT advertising pipelining also helps, (we
drop sync requirement later for the 'good folks'), along with
setting 'queue_only', limiting per-IP connections, a short delay
when all is less-than-satisfactory, etc.
Mind you - the attackers aren't in 'learning' mode, but have
usually been pre-programmed to NOT sit on a connection for very
long at all.
Exim has a lot of knobs for keeping the wolves at bay.
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
