Tibbetts, Ric wrote:
if you're refering to which service it would be in the /etc/services file then it would be port 25 smtp/tcpMark Weaver wrote:Ok, really dumb question, but I'm not leaving any stone unturned at this point....Tibbetts, Ric wrote: > Mark Weaver wrote: > >> On Wednesday 15 January 2003 11:30 am, Tibbetts, Ric scribbled >> nervously: >> >>> Mark Weaver wrote: >>> >>>> On Wednesday 15 January 2003 10:57 am, Tibbetts, Ric scribbled >>>> >>>> nervously: >>>> >>>>> Sheesh! NOW, the server (firewall side) is just bulk >>>>> rejecting ALL >>>> >> >> connections >> >>>>> (again!). It considers any incoming mail as a SYN attack, and >>>>> >>>> >> >> rejects >> >>>>> it! (egads! I'm getting tired of this chase!). I thought I >>>>> had this sorted out... >>>>> >>>>> /var/log/messages is bing filled with messages like: >>>> >>>> >>>> [snip] >>>> >>>> >>>>> It's all incoming mail, that is not coming in! >>>>> >>>>> Any thoughts on WHY it would interpret all incoming >>>>> connections as >>>> >> >> an >> >>>>> attack? Anything not already blocked is interpreted as a SYN >>>>> attack, >>>> >>>> >>>> and >>>> >>>> >>>>> is rejected, and added to the list.... >>>>> >>>>> Thanks ! >>>>> >>>>> Ric >>>> >>>> >>>> Ric, >>>> >>>> do yourself a huge favor and turnoff and uninstall PortSentry. >>>> He's >>> >> >> a >> >>>> tired old man with a serious bladder control problem. he sh*ts >>>> himself >>> >> >> from >> >>>> time to time as well. do that and you should be feeling a lot >>>> better. >>> >>> >>> I shut it off when it started puking like that. THen I cleaned >>> out /etc/hosts/deny. >>> >>> But it's still not accepting any connections, it's just quieter >>> about it. It's just not receiving anything. When it did this the >>> other day, xinetd was down. I checked that... alls well there. >>> It's running. >>> >>> this is really getting frustrating! If I were 3000 miles closer, >>> I'd shoot the thing between it's transistors, and rebuild it. But >>> I'm just >> >> >> a >> >>> bit to far away for that. >>> >>> I can still ssh in, so at least I can work on it. But I'm lost as >>> to >> >> >> why >> >>> it started doing this again... It was fine, up until about a half >>> >> >> >> hour >> >>> ago.. Then it just stopped receiving connections. There's nothing >>> in >> >> >> the >> >>> logs.. I even tried the M$ method: Reboot.. no joy. It didn't >>> help. >>> >>> And stopping portsentry doesn't make any difference. It's not the >>> mail system either. I reverted back to the pre-spam >> >> >> filter >> >>> version. That didn't make any difference. It's just started >>> rejecting all connections. >>> >>> gotta be a reason.... >>> >>> Ric >> >> >> >> well...this sounds horribly familiar, so I'll set to work trying to >> recall what it was I was doing when this happened to me, and how I >> handled the situation. damned thing of it I should have kept up my >> journal of that period. there was a time when everything I touched >> on that machine turned to crap! it's not so bad now cause I've had >> a lot of practice. :) don't worry though...it'll come to >> me...eventually. > > > Ok, let's get basic. It was running when I first checked on it this > morning. The spam filter was tight, so I loosened that up a little > (pure postfix config file stuff. NO systems level stuff). Then I > restarted postfix, and the server stopped receiving connections. > > I rebooted. > > Then portsentry went crazy on the reporting, and started rejecting > every incoming mail connection. (actually, I suspect that they were > being rejected anyway, there was no new mail coming in before that). > > The last time it started acting like that, xinetd wasn't running. > This time it is. > > The firewall is up. iptables is running. > > postfix is up > > I can "send" mail from it, and users from inside that network can > pass through it, so masq'ing is working right. > > Why is it rejecting ALL incoming e-Mail connections? > > And ONLY incoming e-Mail connections. I can ssh in, and the web > server is running, and allows connections... > > But any incoming e-Mail is interpreted as an attack, and rejected. > > Where is this coming from ?!?! (portsentry is shut off. But I've > been running it a very long time. I've seldom found it the source of > the problem, on the messenger. Without it, I feel like I'm running a > bit blind... > > Any thoughts? Suggestions on where to look? WAGs? > > This server has been a super reliable server for the past 3 years. > It's been on 8.1 for a year or so, and has never caused any problems. > Now all the sudden... I can't keep it running... > > HELP! > > Ric Ric, how is it you're certain that the connections to port 25 are being interpreted as attacks on the system? apart from PortSentry I can't think of anything else that would cause that port to be closed and refuse a connection. the only other cause for the connection being refused is if the service itself isn't running.
"What service"? Which one?
--
Mark
-----------------------------------------------
This laptop powered by Mandrake Linux 9.0.5
*lots of cooker packages*
Paid for by Penguins against Modern Appliances PMA(R)
-----------------------------------------------
Linux User since 1996
ICQ# 27816299
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com