{"id":238,"date":"2017-03-07T10:51:29","date_gmt":"2017-03-07T02:51:29","guid":{"rendered":"http:\/\/matnet.my\/blog\/?p=238"},"modified":"2017-03-07T10:58:34","modified_gmt":"2017-03-07T02:58:34","slug":"cpanel-server-exim-ddos-attack","status":"publish","type":"post","link":"https:\/\/matnet.my\/blog\/2017\/03\/cpanel-server-exim-ddos-attack\/","title":{"rendered":"Cpanel Server – Exim DDOS Attack"},"content":{"rendered":"

\"\"<\/a>1. Recently, my server was DDOS. It’s so frustrated when the server has been suspended by the ISP.<\/p>\n

2. From the log, there are too many SMTP connection and confirm one of my client mail has been bomb.<\/p>\n

3. This is my first experience facing Exim DDOS. Therefore, all the configs of exim are default and never customized.<\/p>\n

4. This is some of my mitigation action<\/p>\n

5. Analyze the \/var\/log\/exim_mainlog :<\/p>\n

– There are so many “Connection from [*.*.*.*] refused: too many connections: 34 Time(s)
\n– The IP connected was random from all over the world
\n– Identified suspected domain.<\/p>\n

6. Check connection : netstat -anp |grep 25<\/p>\n

There so many IP established to main server IP address.<\/p>\n

7. Backup and suspend\/terminate suspected hosting. Eventhough the hosting account was terminated the DDOS still running since the bomb
\nalready resolved server IP address.<\/p>\n

8. Tuning ACL Option and restart exim. Doesn’t work, DDOS still coming and coming. Tail -f showed exim_mainlog like an IRC Flood.<\/p>\n

9. Finding solution with CSF\/LFD, unfortunately it can’t handle exim DOS.<\/p>\n

10. I’m lack of idea and stress, then come a simple idea which is replace the IP address with the new one.<\/p>\n

11. But it’s not that simple. I need to change main server IP address that is shared by 400+ domains.<\/p>\n

12. Huh~ done changing of 400+ vhosts and changing interface IP address.<\/p>\n

13. Cleanup DNS properly with new IP.<\/p>\n

14. Restart network and exim.<\/p>\n

15. tail exim_mainlog and walla .. alhamdullillah.<\/p>\n

16. To prevent further threat i did installed fail2ban and customize with exim dos protection follow by this instruction :<\/p>\n

Blocking Exim DOS\/mail bombs<\/a><\/p><\/blockquote>\n