Used the following to mitigate a denial of service against a customer on Cpanel with Exim. The attack consists of connections to port 25, where they send binary garbage rather than SMTP protocol. It ends up filling the exim logs with binary junk, and otherwise wasting resources.
This is taken from http://forums.cpanel.net/f185/sustained-exim-attack-syntax-errors-mitigation-measures-338792.html.
1) Add the following lines in the middle of /etc/csf/regex.custom.pm:
|
1 2 3 |
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\d+\D+\d+\D+\d+ \d+\D+\d+\D+\d+ SMTP call from.*\[(\d+\.\d+\.\d+\.\d+)\]:\d+ I=\[(\d+\.\d+\.\d+\.\d+)\]:\d+ dropped: too many syntax or protocol errors/)) { return ("Failed exim syntax from","$1","eximdosmatch","2","25,143","1"); } |
Some variation may be needed, depending on the exact format of the log entries. See the notes in the source URL above for more details on that.
2) Modify /etc/csf/csf.conf, change these settings:
|
1 2 3 |
LF_EMAIL_ALERT = "0" LF_PERMBLOCK_ALERT = "0" CUSTOM1_LOG = "/var/log/exim_mainlog" |
3) Apply the changes:
|
1 |
/etc/init.d/lfd restart ; csf -r |
4) Activity can be monitored with this command:
|
1 |
tail -f /var/log/lfd.log |