Date: Sat, 26 Jul 2008 07:57:26 -0600
From: "Rodrigo Ordonez Licona" <rodrigo (at mark) xnet.com.mx>
Subject: [coba-e:13608] Re: Dovecot/POP3 Flood
To: <coba-e (at mark) bluequartz.org>
Message-Id: <200807261447.m6QElYvA028776 (at mark) ana.xnet.com.mx>
In-Reply-To: <488B0824.8070406 (at mark) theanchoragesylvania.com>
X-Mail-Count: 13608
Thank you greg,
Just a note I added these lines when the number of dovecot processes are
high
killall -9 dovecot
killall -9 dovecot-auth
echo Recuperacion de Ataque de Diccionario envio de dbrecover
/etc/init.d/dbrecover start
These lines were added because the script itself wasn$BCU(B enough (in our case
) dovecot was stopped but the database got corrupted very quick in less than
a minute, just for sanity (saved us the work a few times ) we do the
dbrecover so that We do'nt have to go at 2 am to make the same process ...
And people can have their email working the next morning.
Most of the attacks on our servers are performed overnight (mainly asiatic
and european attackers)
Hth
Rodrigo O
Xnet
-----Original Message-----
From: Greg Kuhnert [mailto:greg.kuhnert (at mark) theanchoragesylvania.com]
Sent: SáÃado, 26 de Julio de 2008 05:19
To: Rodrigo Ordonez Licona
Cc: coba-e (at mark) bluequartz.org
Subject: [coba-e:13607] Re: Dovecot/POP3 Flood
Hi Rodrigo.
Thanks for reposting my script back to me <grin>
On a serious side-note, there is a much later version available.... at
http://www.gregkuhnert.com/public:bq:dfix
I've got a later version again that I've been testing - the newer version
also detects and reports on a number of http attacks..... I'll let you know
when its ready for release.
Regards,
Greg.
Rodrigo Ordonez Licona wrote:
> There is a script that runs every minute as a cron job that checks for
> this attacks , we modified it to force a dbrecover after an attack,
>
> It has worked so far for us,
>
> look in the archives, I can post my modified script but the credit
> goes to someone else we just added the dbrecover lines
>
> HTH
>
> Rodrigo O
> Xnet
>
> ----------------------------------------------------------------------
> --
> *From:* Jeff Keller [mailto:jeff (at mark) datatune.com]
> *Sent:* Viernes, 25 de Julio de 2008 04:45
> *To:* coba-e (at mark) bluequartz.org
> *Subject:* [coba-e:13601] Re: Dovecot/POP3 Flood
>
> I'd like to configure my (hardware) firewall to block the traffic
> that's crashing dovecot--does anybody know what this signature looks
> like so that I can add that to the firewall?
>
> JK
>
> On Fri, Jul 25, 2008 at 3:33 PM, Greg Kuhnert
> <greg.kuhnert (at mark) theanchoragesylvania.com
> <mailto:greg.kuhnert (at mark) theanchoragesylvania.com>> wrote:
>
> I was restarting firewall, but my server was still crashing all
> the time.... the only way to keep it on the road back then was a
> regular reboot of the server. Anyway, I might have another look at
> it, if the memory problem is fixed!
>
> Ta.
> Greg.
>
> Dogsbody wrote:
>
>
> ipt_recent was a great solution - but over time, I found
> it had a memory leak. The only way to reclaim memory was a
> reboot of the server.
>
>
> This is due to a bug in the recent module. It is fixed in
> kernels 2.6.12 and above. Until then I just do a weekly
> restart to the firewall, it takes less than a second and
> certainly saves bouncing the server :-)
>
> touch /etc/cron.weekly/fwrestart.cron
> chmod 750 /etc/cron.weekly/fwrestart.cron
> vi /etc/cron.weekly/fwrestart.cron
>
> #!/bin/sh
> /etc/rc.d/init.d/iptables restart > /dev/null
>
> I hope this helps
>
> One day I'll fully comment up and publish my firewall rules
> for everyone to use, life gets in the way :-/
>
> Dan
>
>
>
>