On 2013-12-19, Gary Stainburn <[email protected]> wrote: > On a number of occassions I've had my server DOS'd because of a number of > incoming connections hanging and then getting hundreds of the following entry > in my logs (different IP's) > > /var/log/exim/main.log-20131215:2013-12-13 19:08:15 Connection from > [85.137.122.107] refused: too many connections > > If I look at exiwhat I see things like > > 29719 handling incoming connection from mail.orovia.com [109.108.128.13] > > hanging around for long periods. In the case of the above IP address, the > connections did not close, then multiple connections used up multiple > connections hence the DOS. > > I now block that IP on my server using the acl_smtp_connect ACL. which has > stopped the DOS attack, but while I've been monitoring the server I have seen > a number of IP's that sit there for much longer than they should. I have > reduced smtp_receive_timeout to 4m which is probably how long these > connections are staying open. > > My questions are: > > 1) is there a way to catch these time-outs so that the offending IP address > can be recorded?
log something in ACL_NOTQUIT > 2) Is there a way to time how long a message takes? If possible, timing > seperate stages of the delivery? log more stuff, also the exim-id is based on the timestamp when they said 'data' > I currently have a manually maintained file /etc/exim/ip_blacklist.lst which > gets checked as part of the acl_smtp_connect ACL. > > I am looking to have exim maintain a SQL table adding enties for offending IPs I use that approach, it seems to work ok. fail2ban, an exim's own ratelimit may be other options -- For a good time: install ntp -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
