RE: [CentOS] Re: SYD flood dropped on Sendmail (centos 4.x)
Good advice! Thanks for helping without the corrective elitist attitude! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Sent: Thursday, November 20, 2008 5:16 PM To: CentOS mailing list Subject: Re: [CentOS] Re: SYD flood dropped on Sendmail (centos 4.x) At 07:03 PM 11/20/2008, you wrote: on 11-20-2008 3:31 PM Kai Schaetzl spake the following: Chris Heiner wrote on Thu, 20 Nov 2008 13:43:44 -0800: I get complaints about the servers asking for username and password. from your users or what? Of course, they may complain. A big dictionary attack can take almost all the bandwidth for some time or leave a backlog of dovecot instances. Please, as I understand you are a server adminstrator for quite a few machines, correct? Yet, you are answering in a way as if you just brought your first server online. Btw, it's a *SYN* flood, not a SYD flood and that won't change even if you repeat it again and again. I started test@ accounts all many servers to try and track it down. Pardon, you did what? I have tried restarting POP and SMTP in the past You may want to kill all dovecot instances, in case you *are* running dovecot (if not, then of what you use, but I know that dovecot likes to hang in this way if hammered). Just restarting it may not kill the backlog of hanging connections. A ps ax|grep login would help to see if instances are still running. Restarting SMTP: again, this has nothing to do with SMTP! Kai CentOS 4 comes with a very OLD version of dovecot. If you are using dovecot, you can get a much newer version at atrpms.net. The upgrade might be all you need to fix it. Watch out for this gotcha! The Dovecot version 1.0.x that comes with CentOS 5.x is much better and I run it and would recommend it, but the configs for 0.99.x (Came with CentOS 4.x) are incompatible with the previous version. Cheers, Glenn ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Gateway Anti-Spam Anti-Virus Protection by Network Designs Inc. 949-727-3393 For a complete list of services go to www.networkdesignsinc.com -- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Re: SYD flood dropped on Sendmail (centos 4.x)
Good advice! I will upgrade the Dovecot as it sounds like a good idea. I was also considering just redirecting the inbound port from 110 to another port. Your simple answer is much appreciated. Thanks for helping without the corrective elitist attitude! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Silva Sent: Thursday, November 20, 2008 4:03 PM To: centos@centos.org Subject: [CentOS] Re: SYD flood dropped on Sendmail (centos 4.x) on 11-20-2008 3:31 PM Kai Schaetzl spake the following: Chris Heiner wrote on Thu, 20 Nov 2008 13:43:44 -0800: I get complaints about the servers asking for username and password. from your users or what? Of course, they may complain. A big dictionary attack can take almost all the bandwidth for some time or leave a backlog of dovecot instances. Please, as I understand you are a server adminstrator for quite a few machines, correct? Yet, you are answering in a way as if you just brought your first server online. Btw, it's a *SYN* flood, not a SYD flood and that won't change even if you repeat it again and again. I started test@ accounts all many servers to try and track it down. Pardon, you did what? I have tried restarting POP and SMTP in the past You may want to kill all dovecot instances, in case you *are* running dovecot (if not, then of what you use, but I know that dovecot likes to hang in this way if hammered). Just restarting it may not kill the backlog of hanging connections. A ps ax|grep login would help to see if instances are still running. Restarting SMTP: again, this has nothing to do with SMTP! Kai CentOS 4 comes with a very OLD version of dovecot. If you are using dovecot, you can get a much newer version at atrpms.net. The upgrade might be all you need to fix it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't -- Gateway Anti-Spam Anti-Virus Protection by Network Designs Inc. 949-727-3393 For a complete list of services go to www.networkdesignsinc.com -- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: SYD flood dropped on Sendmail (centos 4.x)
on 11-20-2008 5:31 PM Kai Schaetzl spake the following: Scott Silva wrote on Thu, 20 Nov 2008 16:03:04 -0800: CentOS 4 comes with a very OLD version of dovecot. If you are using dovecot, you can get a much newer version at atrpms.net. The upgrade might be all you need to fix it. The dovecot in CentOS 5 exhibits the same problem when hammered by dictionary attacks. Is the atrpms version newer? Kai You can get 1.0.15 which is the recent stable for the 1.0 series, and you can get 1.1.16 which has many new improvements over 1.0, and is the current stable branch. I think the 1.1 branch has some changes to the auth code that might help. Read the dovecot wiki for the steps you need to follow to upgrade, especially if you want to go back. I really recommend you at least go to the 1.0 branch instead of the 0.99 beta in CentOS 4. The indexing improvements alone are worth it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: SYD flood dropped on Sendmail (centos 4.x)
on 11-21-2008 11:53 AM Scott Silva spake the following: on 11-20-2008 5:31 PM Kai Schaetzl spake the following: Scott Silva wrote on Thu, 20 Nov 2008 16:03:04 -0800: CentOS 4 comes with a very OLD version of dovecot. If you are using dovecot, you can get a much newer version at atrpms.net. The upgrade might be all you need to fix it. The dovecot in CentOS 5 exhibits the same problem when hammered by dictionary attacks. Is the atrpms version newer? Kai You can get 1.0.15 which is the recent stable for the 1.0 series, and you can get 1.1.16 which has many new improvements over 1.0, and is the current stable branch. I think the 1.1 branch has some changes to the auth code that might help. Read the dovecot wiki for the steps you need to follow to upgrade, especially if you want to go back. I really recommend you at least go to the 1.0 branch instead of the 0.99 beta in CentOS 4. The indexing improvements alone are worth it. Another option is something like fail2ban, and have it drop the connections and add a firewall rule when you get too many bad attempts on that port. Fail2ban can read the logs and act for you before it gets too bad. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Re: SYD flood dropped on Sendmail (centos 4.x)
on 11-20-2008 3:31 PM Kai Schaetzl spake the following: Chris Heiner wrote on Thu, 20 Nov 2008 13:43:44 -0800: I get complaints about the servers asking for username and password. from your users or what? Of course, they may complain. A big dictionary attack can take almost all the bandwidth for some time or leave a backlog of dovecot instances. Please, as I understand you are a server adminstrator for quite a few machines, correct? Yet, you are answering in a way as if you just brought your first server online. Btw, it's a *SYN* flood, not a SYD flood and that won't change even if you repeat it again and again. I started test@ accounts all many servers to try and track it down. Pardon, you did what? I have tried restarting POP and SMTP in the past You may want to kill all dovecot instances, in case you *are* running dovecot (if not, then of what you use, but I know that dovecot likes to hang in this way if hammered). Just restarting it may not kill the backlog of hanging connections. A ps ax|grep login would help to see if instances are still running. Restarting SMTP: again, this has nothing to do with SMTP! Kai CentOS 4 comes with a very OLD version of dovecot. If you are using dovecot, you can get a much newer version at atrpms.net. The upgrade might be all you need to fix it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Re: SYD flood dropped on Sendmail (centos 4.x)
At 07:03 PM 11/20/2008, you wrote: on 11-20-2008 3:31 PM Kai Schaetzl spake the following: Chris Heiner wrote on Thu, 20 Nov 2008 13:43:44 -0800: I get complaints about the servers asking for username and password. from your users or what? Of course, they may complain. A big dictionary attack can take almost all the bandwidth for some time or leave a backlog of dovecot instances. Please, as I understand you are a server adminstrator for quite a few machines, correct? Yet, you are answering in a way as if you just brought your first server online. Btw, it's a *SYN* flood, not a SYD flood and that won't change even if you repeat it again and again. I started test@ accounts all many servers to try and track it down. Pardon, you did what? I have tried restarting POP and SMTP in the past You may want to kill all dovecot instances, in case you *are* running dovecot (if not, then of what you use, but I know that dovecot likes to hang in this way if hammered). Just restarting it may not kill the backlog of hanging connections. A ps ax|grep login would help to see if instances are still running. Restarting SMTP: again, this has nothing to do with SMTP! Kai CentOS 4 comes with a very OLD version of dovecot. If you are using dovecot, you can get a much newer version at atrpms.net. The upgrade might be all you need to fix it. Watch out for this gotcha! The Dovecot version 1.0.x that comes with CentOS 5.x is much better and I run it and would recommend it, but the configs for 0.99.x (Came with CentOS 4.x) are incompatible with the previous version. Cheers, Glenn ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
