This is taken from http://forums.cpanel.net/f185/sustained-exim-attack-syntax-errors-mitigation-measures-338792.html.
1) Add the following lines in the middle of /etc/csf/regex.custom.pm:
1 2 3 |
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\d+\D+\d+\D+\d+ \d+\D+\d+\D+\d+ SMTP call from.*\[(\d+\.\d+\.\d+\.\d+)\]:\d+ I=\[(\d+\.\d+\.\d+\.\d+)\]:\d+ dropped: too many syntax or protocol errors/)) { return ("Failed exim syntax from","$1","eximdosmatch","2","25,143","1"); } |
Some variation may be needed, depending on the exact format of the log entries. See the notes in the source URL above for more details on that.
2) Modify /etc/csf/csf.conf, change these settings:
1 2 3 |
LF_EMAIL_ALERT = "0" LF_PERMBLOCK_ALERT = "0" CUSTOM1_LOG = "/var/log/exim_mainlog" |
3) Apply the changes:
1 |
/etc/init.d/lfd restart ; csf -r |
4) Activity can be monitored with this command:
1 |
tail -f /var/log/lfd.log |