Can't block connections

[Linuc]

Hi,

I am seeing an attack on exim port 25, as per:

Code: Select all

2017-06-22 19:43:43 SMTP connection from [201.197.40.70]:13855 (TCP/IP connection count = 84)
2017-06-22 19:43:43 SMTP connection from [197.253.12.194]:18356 (TCP/IP connection count = 85)
2017-06-22 19:43:44 SMTP connection from [89.211.189.109]:55947 (TCP/IP connection count = 86)
2017-06-22 19:43:45 SMTP connection from [111.93.238.10]:16467 (TCP/IP connection count = 85)
2017-06-22 19:43:49 SMTP connection from [77.28.104.247]:38681 (TCP/IP connection count = 81)
2017-06-22 19:43:49 SMTP connection from [113.172.100.255]:10962 (TCP/IP connection count = 82)
2017-06-22 19:43:51 SMTP connection from [39.52.80.9]:24419 (TCP/IP connection count = 81)
2017-06-22 19:43:51 SMTP connection from [190.117.221.9]:40620 (TCP/IP connection count = 82)
2017-06-22 19:43:51 SMTP connection from [46.217.156.204]:29151 (TCP/IP connection count = 82)
2017-06-22 19:43:52 SMTP connection from [123.28.223.203]:28010 (TCP/IP connection count = 82)
2017-06-22 19:43:52 SMTP connection from [181.67.41.247]:29605 (TCP/IP connection count = 82)
2017-06-22 19:43:54 SMTP connection from [186.9.239.50]:46029 (TCP/IP connection count = 79)
2017-06-22 19:43:54 SMTP connection from [187.5.229.94]:30754 (TCP/IP connection count = 79)
2017-06-22 19:43:54 SMTP connection from [213.149.62.10]:11094 (TCP/IP connection count = 80)
2017-06-22 19:43:54 SMTP connection from [113.182.14.2]:43072 (TCP/IP connection count = 81)
2017-06-22 19:43:54 SMTP connection from [179.99.203.101]:29536 (TCP/IP connection count = 82)

The above is flooding the exim mail server to the point where cPanel users have difficulty sending/receiving mail.

I've enabled "blocklists" and also:

PORTFLOOD = 25;tcp;5;43200

The above does not seem to limit connections on port 25 at all.

Also tried CONNLIMIT = 25 and CT_LIMIT = 25

None of the above seems to do anything to block these.

Anyone seen this before or know of a way to block OR at leat limit the connection?

[ddd]

Also having this exact same problem with no solution to block it.

Hundreds of these:

2017-07-25 15:10:35 SMTP connection from [37.72.189.70]:1228 lost
2017-07-25 15:10:35 SMTP connection from [94.177.248.136]:59075 lost
2017-07-25 15:10:35 SMTP connection from [37.72.189.70]:4934 (TCP/IP connection count = 6)
2017-07-25 15:10:35 SMTP connection from [94.177.248.136]:58786 (TCP/IP connection count = 7)
2017-07-25 15:10:35 no host name found for IP address 37.72.189.70
2017-07-25 15:10:37 SMTP connection from [37.49.224.149]:59133 lost
2017-07-25 15:10:37 SMTP connection from [37.49.224.149]:59156 (TCP/IP connection count = 7)
2017-07-25 15:10:37 no host name found for IP address 37.49.224.149
2017-07-25 15:10:37 SMTP connection from [37.72.189.70]:2024 lost
2017-07-25 15:10:37 SMTP connection from [37.72.189.70]:1798 (TCP/IP connection count = 7)
2017-07-25 15:10:37 no host name found for IP address 37.72.189.70
2017-07-25 15:10:39 SMTP connection from [94.177.248.136]:53184 lost
2017-07-25 15:10:40 SMTP connection from [94.177.248.136]:50417 (TCP/IP connection count = 7)
2017-07-25 15:10:45 SMTP connection from [37.72.189.70]:4934 lost
2017-07-25 15:10:46 SMTP connection from [94.177.248.136]:58786 lost
2017-07-25 15:10:46 SMTP connection from [94.177.248.136]:53776 (TCP/IP connection count = 6)
2017-07-25 15:10:48 SMTP connection from [37.49.224.149]:59156 lost
2017-07-25 15:10:48 SMTP connection from [37.49.224.149]:54243 (TCP/IP connection count = 6)
2017-07-25 15:10:48 no host name found for IP address 37.49.224.149
2017-07-25 15:10:48 SMTP connection from [37.72.189.70]:1798 lost
2017-07-25 15:10:48 SMTP connection from [37.72.189.70]:1333 (TCP/IP connection count = 6)
2017-07-25 15:10:48 no host name found for IP address 37.72.189.70

[kdean]

Getting thousands of these a day from hundreds of IPs mostly from China Telecom and a few other countries. I've just been manually denying IPs and various CiDRs.

Anyone ever come up with an automatic CSF solution to detect and block these.