Linux : cPanel Exim service keep bouncing up/down

By | March 6, 2022
0 Comment

If you are receiving a lot of cPanel notification message stating that the Exim mail server service is flapping (going down and up repeatedly) as followed :

The service “exim-26,465,587” appears to be down.
The service “exim-26,465,587” is now operational.

You are most likely victim of some sort of denial of service attack against your SMTP server, which is more and more common these days. These attacks are usually not a security threat but consist of exhausting the available number of SMTP connection allowed by your Exim configuration.

You can validate if the connection consumption are legit or consumed by someone who want to impact your service by using the following command :

cat /var/log/exim_mainlog | grep count

You will then get an output looking like this :

[…]
2022-01-23 03:54:54 SMTP connection from [0.0.0.1]:38718 (TCP/IP connection count = 99)
2022-01-23 03:54:54 SMTP connection from [0.0.0.2]:5230 (TCP/IP connection count = 100)
2022-01-23 03:54:54 SMTP connection from [0.0.0.3]:58770 (TCP/IP connection count = 100)
2022-01-23 03:54:55 SMTP connection from [0.0.0.1]:32030 (TCP/IP connection count = 99)
2022-01-23 03:54:55 SMTP connection from [0.0.0.2]:24342 (TCP/IP connection count = 99)
2022-01-23 03:54:56 SMTP connection from [0.0.0.3]:39788 (TCP/IP connection count = 96)
[…]

If you see like in the example above the connection count maxed out by the same IPs over and over again, then it clearly indicate an abuse of service (the default connection count of the Exim service is 100). The worst thing to do would be to increase the number of allowed connection – it will just briefly solve the issue until saturated again.

The right thing to do in this case would be to block the offending IP(s)/subnet(s)/prefix(es) on the server firewall and then I would encourage you to send an abuse request to the network operator of the ASN announcing the prefix with all the necessary details to prove your claim.

If you are using CSF, you can use the command below specifying the IP/subnet as followed (example) :

csf -d 0.0.0.1/32

With IPtables (example) :

iptables -I INPUT -s 0.0.0.1/32 -j DROP