Article 13607 at 08/07/26 20:19:23 From: greg.kuhnert (at mark) theanchoragesylvania.com Subject: [coba-e:13607] Re: Dovecot/POP3 Flood

Index: [Article Count Order] [Thread]
Date:  Sat, 26 Jul 2008 21:19:00 +1000
From:  Greg Kuhnert <greg.kuhnert (at mark) theanchoragesylvania.com>
Subject:  [coba-e:13607] Re: Dovecot/POP3 Flood
To:  Rodrigo Ordonez Licona <rodrigo (at mark) xnet.com.mx>
Cc:  coba-e (at mark) bluequartz.org
Message-Id:  <488B0824.8070406 (at mark) theanchoragesylvania.com>
In-Reply-To:  <200807260312.m6Q3CDm6024630 (at mark) ana.xnet.com.mx>
References:  <200807260312.m6Q3CDm6024630 (at mark) ana.xnet.com.mx>
X-Mail-Count: 13607

Hi Rodrigo.

Thanks for reposting my script back to me <grin>

On a serious side-note, there is a much later version available.... at 
http://www.gregkuhnert.com/public:bq:dfix

I've got a later version again that I've been testing - the newer 
version also detects and reports on a number of http attacks..... I'll 
let you know when its ready for release.

Regards,
Greg.

Rodrigo Ordonez Licona wrote:
> There is a script that runs every minute as a cron job that checks for 
> this attacks , we modified it to force a dbrecover after an attack,
>  
> It has worked so far for us,
>
> look in the archives, I can post my modified script but the credit 
> goes to someone else we just added the dbrecover lines
>
> HTH
>  
> Rodrigo O
> Xnet
>
> ------------------------------------------------------------------------
> *From:* Jeff Keller [mailto:jeff (at mark) datatune.com]
> *Sent:* Viernes, 25 de Julio de 2008 04:45
> *To:* coba-e (at mark) bluequartz.org
> *Subject:* [coba-e:13601] Re: Dovecot/POP3 Flood
>
> I'd like to configure my (hardware) firewall to block the traffic 
> that's crashing dovecot--does anybody know what this signature looks 
> like so that I can add that to the firewall?
>
> JK
>
> On Fri, Jul 25, 2008 at 3:33 PM, Greg Kuhnert 
> <greg.kuhnert (at mark) theanchoragesylvania.com 
> <mailto:greg.kuhnert (at mark) theanchoragesylvania.com>> wrote:
>
>     I was restarting firewall, but my server was still crashing all
>     the time.... the only way to keep it on the road back then was a
>     regular reboot of the server. Anyway, I might have another look at
>     it, if the memory problem is fixed!
>
>     Ta.
>     Greg.
>
>     Dogsbody wrote:
>
>
>             ipt_recent was a great solution - but over time, I found
>             it had a memory leak. The only way to reclaim memory was a
>             reboot of the server.
>
>
>         This is due to a bug in the recent module.  It is fixed in
>         kernels 2.6.12 and above.  Until then I just do a weekly
>         restart to the firewall, it takes less than a second and
>         certainly saves bouncing the server :-)
>
>         touch /etc/cron.weekly/fwrestart.cron
>         chmod 750 /etc/cron.weekly/fwrestart.cron
>         vi /etc/cron.weekly/fwrestart.cron
>
>          #!/bin/sh
>          /etc/rc.d/init.d/iptables restart > /dev/null
>
>         I hope this helps
>
>         One day I'll fully comment up and publish my firewall rules
>         for everyone to use, life gets in the way :-/
>
>         Dan
>
>
>
>