Cpanel Server – Exim DDOS Attack

1. Recently, my server was DDOS. It’s so frustrated when the server has been suspended by the ISP.

2. From the log, there are too many SMTP connection and confirm one of my client mail has been bomb.

3. This is my first experience facing Exim DDOS. Therefore, all the configs of exim are default and never customized.

4. This is some of my mitigation action

5. Analyze the /var/log/exim_mainlog :

– There are so many “Connection from [*.*.*.*] refused: too many connections: 34 Time(s)
– The IP connected was random from all over the world
– Identified suspected domain.

6. Check connection : netstat -anp |grep 25

There so many IP established to main server IP address.

7. Backup and suspend/terminate suspected hosting. Eventhough the hosting account was terminated the DDOS still running since the bomb
already resolved server IP address.

8. Tuning ACL Option and restart exim. Doesn’t work, DDOS still coming and coming. Tail -f showed exim_mainlog like an IRC Flood.

9. Finding solution with CSF/LFD, unfortunately it can’t handle exim DOS.

10. I’m lack of idea and stress, then come a simple idea which is replace the IP address with the new one.

11. But it’s not that simple. I need to change main server IP address that is shared by 400+ domains.

12. Huh~ done changing of 400+ vhosts and changing interface IP address.

13. Cleanup DNS properly with new IP.

14. Restart network and exim.

15. tail exim_mainlog and walla .. alhamdullillah.

16. To prevent further threat i did installed fail2ban and customize with exim dos protection follow by this instruction :

Blocking Exim DOS/mail bombs

This article was written by matn0t.