Hallo zusammen,
hier[tm] gab es heute nachmittag eine - beabsichtigte oder
unebabsichtigte - DoS-Attacke, die dazu führte, dass Exim keine weiteren
Verbindungen annahm:
2021-04-29 15:35:27 Connection from [a.b.c.d] refused: too many connections
2021-04-29 15:35:41 Connection from [e.f.g.h] refused: too many connections
2021-04-29 15:37:04 Connection from [k.l.m.n] refused: too many connections
Ich habe daraufhin dies gesetzt:
smtp_accept_max_per_host = 10
#smtp_accept_max = 20 # das ist der Default
Meiner Meinung nach ist das eine sinnvolle Gegenmaßnahme.
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html
---
smtp_accept_max Use: main Type: integer Default: 20
This option specifies the maximum number of simultaneous incoming SMTP
calls that Exim will accept. It applies only to the listening daemon;
there is no control (in Exim) when incoming SMTP is being handled by
inetd. If the value is set to zero, no limit is applied. However, it is
required to be non-zero if either smtp_accept_max_per_host or
smtp_accept_queue is set. See also smtp_accept_reserve and
smtp_load_reserve.
A new SMTP connection is immediately rejected if the smtp_accept_max
limit has been reached. If not, Exim first checks
smtp_accept_max_per_host. If that limit has not been reached for the
client host, smtp_accept_reserve and smtp_load_reserve are then checked
before accepting the connection.
smtp_accept_max_per_host Use: main Type: string† Default: unset
This option restricts the number of simultaneous IP connections from a
single host (strictly, from a single IP address) to the Exim daemon. The
option is expanded, to enable different limits to be applied to
different hosts by reference to $sender_host_address. Once the limit is
reached, additional connection attempts from the same host are rejected
with error code 421. This is entirely independent of
smtp_accept_reserve. The option’s default value of zero imposes no
limit. If this option is set greater than zero, it is required that
smtp_accept_max be non-zero.
Warning: When setting this option you should not use any expansion
constructions that take an appreciable amount of time. The expansion and
test happen in the main daemon loop, in order to reject additional
connections without forking additional processes (otherwise a
denial-of-service attack could cause a vast number or processes to be
created). While the daemon is doing this processing, it cannot accept
any other incoming connections.
---
Gibt es andere Meinungen? Sonstige Kommentare und/oder Ergänzungen?
Danke & viele Grüße
Paul