reducing botnet attack a exim service under CPanel

/Home /Journal /Services /Projects

A client was worried about the amount of connections being generated to his server, mostly by bots. It was consuming the resources available and slowing down the SMTP service. Some settings had already been adjusted on the firewall, but limited, since the service is also used by legitimate users. When it was passed to be i went to check the config on exim and found most of it’s ratelimits being applied only to port 25, while CPanel also serves on port 465 and 587.

# BEGIN INSERT ratelimit

    accept
        hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts

    accept
        hosts = +trustedmailhosts

    accept
        condition = ${if match_ip{$sender_host_address}{net-iplsearch;/etc/trustedmailhosts}{1}{0}}

    defer
        #only rate limit port 25
        condition = ${if eq {$received_port}{25}{yes}{no}}
        message = The server has reached its limit for processing requests from your host.  Please try again later.
        log_message = "Host is ratelimited ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
        ratelimit = 1.2 / 1h / strict / per_conn / noupdate


# END INSERT ratelimit

I came up with the following rule, not only to cover any port but also to make ratelimit more sensitive for IPs that are not found in trusted list, or haven’t authenticated recently.

# BEGIN MANUAL INSERT - Universal Connection Limit for Malicious Scanning
deny
    !hosts = +loopback : +recent_authed_mail_ips : +trustedmailhosts : +backupmx_hosts
    ratelimit = 5 / 10m / $sender_host_address
    message = Connection refused: Too many connections from your IP. Please retry in 10 minutes.
    delay = 5s
# END MANUAL INSERT

Not sure what the outcome will be, still pending on client to provide feedback, maybe tomorrow? πŸ˜