Re: [qmailtoaster] Re: Apache issues

Tony White Wed, 12 Jan 2011 16:08:49 -0800

Hi Mike,
  Firstly your ruleset not not appear to be the standard one used by QMT.
Try using this http://www.rhythm.cx/~steve/devel/tcptrack/ to see exactly
what is going on with your connections.
  Have you tried looking for a root kit? If not try this one script to scan for
root kits http://www.rootkit.nl/projects/rootkit_hunter.html


  As a small point, it might pay to keep an ssh shell open at all times to
your server(s) using putty and putty connection manager. A second point
is move to port ssh uses to a non standard one.




On 13/01/2011 10:35 AM, Mike Canty wrote:

Eric,
        We are running the standard set up with iptables (see config below).
We also have in place a Cisco 800 Series Router.  The firewall part is not
really my thing, can you give me some pointers.

Cheers

# Generated by iptables-save v1.3.5 on Tue Jun 29 01:43:23 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [6:1052]
-A INPUT -i eth0 -f -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 255.255.255.255 -i ! lo -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -s 221.240.0.102 -i ! lo -j DROP
-A INPUT -s 203.215.94.193 -i ! lo -j DROP
-A INPUT -s 218.71.137.68 -i ! lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 465 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 873 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 902 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Jun 29 01:43:23 2010

-----Original Message-----
From: Eric Shubert [mailto:e...@shubes.net]
Sent: Thursday, 13 January 2011 9:55 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Re: Apache issues

On 01/12/2011 03:16 PM, Mike Canty wrote:

To all,

I have a server that is having some problems with some "apache"
services.The machine appears to have a runaway process that takes up
just over 20% of the CPU, but this is enough to stop all mail and to a
certain extent network as well.

The problem for me is this machine is at a remote site. When this
process runs away, I cannot connect to the network remotely, to resolve
the issue, I need to get someone internally to log on to the server
itself and kill the process.

When I say "Apache", that is the user listed against the process, so it
must be some form of web service.The command at fault is either "std" or
"s", although I have seen a "perl" command giving issues as well, but
not to the same effect.

Does anyone have any idea what may be causing this?Or what I can do to
rectify?

Cheers

Mike Canty

   From what you've said, it sounds a little like a DoS attack. It sounds
as though the problem process is saturating the network.

What sort of firewall, internal to QMT as well as external, is involved?


--
best wishes
  Tony White




---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
     If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
    Please visit qmailtoaster.com for the latest news, updates, and packages.

To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Apache issues

Reply via email to