Article 13594 at 08/07/24 11:51:39 From: patricko (at mark) staff.singnet.com.sg Subject: [coba-e:13594] Re: Dovecot/POP3 Flood

Index: [Article Count Order] [Thread]
Date:  Thu, 24 Jul 2008 10:42:51 +0800
From:  patricko <patricko (at mark) staff.singnet.com.sg>
Subject:  [coba-e:13594] Re: Dovecot/POP3 Flood
To:  coba-e (at mark) bluequartz.org
Cc:  lists (at mark) webtent.net
Message-Id:  <20080724104251.3546babe@patricko>
In-Reply-To:  <1216778280.25751.5.camel (at mark) columbus.webtent.org>
References:  <1216778280.25751.5.camel (at mark) columbus.webtent.org>
X-Mail-Count: 13594




[Layer 4 Flood control in iptables]

## stamped all traffic in /proc/net/ipt_recent/DEFAULT 
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource 
## Rate limit 1 connection per sec, burst @ 2 connections (ps: this is the minimium!)
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 --name DEFAULT --rsource -j DROP 


### Check control is tracking

cat /proc/net/ipt_recent/DEFAULT 

src=219.74.51.247 ttl: 121 last_seen: 1956585471 oldest_pkt: 1
last_pkts: 1956585471 src=203.77.177.71 ttl: 55 last_seen: 1956582001
oldest_pkt: 2 last_pkts: 1956580036, 1956582001, 1956559582,
1956562414, 1956562578, 1956562578, 1956566109, 1956566288, 1956566288,
1956566379, 1956566379, 1956566655, 1956566655, 1956572789, 1956572803,
1956572803, 1956575804, 1956576866, 1956577023, 1956577023
src=220.255.140.57 ttl: 121 last_seen: 1956592990 oldest_pkt: 1
last_pkts: 1956592990 src=116.14.197.29 ttl: 120 last_seen: 1956591639
oldest_pkt: 1 last_pkts: 1956591639

### Check control is working

netstat -anop 

and list IP to 110, you will see Only 2 active connections per IP 




On Tue, 22 Jul 2008 21:57:59 -0400
Robert Fitzpatrick <lists (at mark) webtent.net> wrote:

> I've seen some talk about Dovecot repeating password prompts on the list
> and while this happens to us from time to time, the procedure for
> restarting some things along with dbrecover always seems to work.
> Tonight I had two servers do it at the same time, so I'm assuming a
> flood/attack of some sort?
> 
> Is there any recommended way or dovecot settings to avoid this from
> happening?
> 
> -- 
> Robert
> 
> 


-- 



Cheers,
patrick


 Redhat Certified Engineer             - 804007229024607
 Juniper Certified Internet Specialist - JPR31144
 Cisco Certified Network Associate     - CSC011028746


"We provide professional technical assistance 
     and excellent engineering support"


A member of Singnet team : mail-team (at mark) staff.singnet.com.sg


 ***DISCLAIMER***
 This e-mail and any attachments thereto are intended for the sole use 
 of the recipient(s) named above and may contain information that is 
 confidential  and/or proprietary to the SingTel Group.  Any use of the  

 information contained herein (including, but not limited to, total or 
 partial reproduction, communication, or dissemination in any form) by 
 persons other than the intended recipient(s) is prohibited. If you 
 have received this e-mail in error, please notify the sender 
 immediately and delete it