Article 9615 at 07/04/19 03:58:05 From: brian (at mark) nuonce.net Subject: [coba-e:09615] Re: Back by popular demand

Index: [Article Count Order] [Thread]

Date:  Wed, 18 Apr 2007 15:05:17 -0400 (EDT)
From:  "Brian N. Smith" <brian (at mark) nuonce.net>
Subject:  [coba-e:09615] Re: Back by popular demand -  Dovecot/POP3 Flood
To:  coba-e (at mark) bluequartz.org
Message-Id:  <Pine.LNX.4.63.0704181457370.18787 (at mark) mail.nuonce.net>
In-Reply-To:  <200704181640.l3IGe6Rc004080 (at mark) srv1.nickelnetworks.com>
References:  <200704181640.l3IGe6Rc004080 (at mark) srv1.nickelnetworks.com>
X-Mail-Count: 09615

> By popular demand the issue is back......
>
> Apr 18 08:45:07 srv1 dovecot: pop3-login: Aborted login: rip=127.0.0.1,
> lip=127.0.0.1, secured
> Apr 18 08:45:13 srv1 dovecot: pop3-login: Aborted login: user=<test>,
> method=PLAIN, rip=81.18.67.70, lip=10.5.36.4

What do you think about changing; auth_worker_max_count?  Maybe create a 
max of 10?  The auth module is what seems to explode.

My only other suggestion is to use iptables to control flooding.  I 
haven't found anything else that may suggest anything better.

When your system starting going nutz, did you do a "ps aux"?  did you see 
a lot of the dove_auth apps running?

Brian

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.