Hi, i wonder about DDoS, i will try explain why in more descriptive, please aproximate my English...
I have separate MSA exim, it autentificates users against dovecot and i use dovecot's Auth Policy daemon to do some checks before ligin itself. I am facing many login attempts (attacks) from ~100-200 different IPs daily, without any pattern in country/ASN/IP block. Most of them is properly identified by mentioned Auth Policy daemon, which prevents to real login. The dovecot shows in its logs something as "drop connection". That all works as excpected when IMAP login attempts happens. The problem is in exim. It gets (logs) "authenticator failed ..." line, that line contains "535 Incorrect authentication data ..." too. Then it responds that (i guess) to client, which never responds. The connection is then hold open, until timeout happens (in my case i lowered it to 60 sec). As attackers does that login attempts in waves 10-15 IPs in short time, here are multiple connections openned until timeout happens. They repeats login from the same IP only after relative long time (in days), thus blocking in FW doesn't solves that. I have some thousands IP in FW already, its count grows and currently blocks about 40-60 % of connections, but still many new IPs appears and that happens for about 2 years. I do not know if it is one or more attackers (bothets), but i guess that more groups trying me. By docs, the default smtp_accept_max is 20, i have set it higher value already, but that doesn't matter, as i see that attacker has many thousands IPs available. Thus i wonder, that it is able to reach that limit if it will want anytime, just by opening many connections and abandon them, thus effective run DDoS against MSA. I didn't meet that DDoS yet, but i wonder about it -- is my wondering real or am i too paranoid? I cannot find way, how to follow mentioned "drop connection" from Auth Policy daemon from authentificator, thus how to drop connection on **some** login attempts. I do not know if that is even possible, nor in exim, nor in dovecot. Please, is here way to drop these policy blocked logins to prevent connection timeouts? Please, wonder/meet that someone other too? regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
