Re: [qmailtoaster] QMT service lock errors
El 09/07/11 19:31, Sergio M escribió: El -10/01/37 16:59, Jake Vickers escribió: On 07/07/2011 11:47 AM, Sergio M wrote: Hi there list. Yesterday I had this weird problem with my QMT box. First, the SMTP and POP3 services stopped to answer. So I ssh'ed in and made a qmailctl stat. Every service looked like this: supervise: fatal: unable to acquire log/supervise/lock: read-only file system So I tried to qmailctl stop and start, but neither of them worked. I decided to reboot. And then I lost connection to the box. After I made it to the datacenter, i found out that it was stuck in the boot sequence, waiting for the root password to be entered to make a manual fsck. I entered passwd, ran 'fsck /' and it fixed some inodes and stuff. It finished booted and everything went to normal. I forced a fsck with 'shutdown -Fr now' and found nothing. So the questions: 1. I found nothing about thise read-only error on the archives. Anyone has any ideas of what might have happened or where to look for possible causes? 2. Is there a way to configure CentOS to do this fsck on boot completely unattended? So that it it reboots again there is no need to go to the NOC to enter root password and run the fsck manually? This is not QMT specific. Look in your messages file for for medium errors - what most likely happened is that there were some bad sectors on the disk, which ended up timing out and causing the system to mount it read only. As far as automtically doing this on a boot (when needed), yes and no. Yes if the system is not in too bad of shape - no if the system is bricked. In your /etc/fstab file, the fifth column is your dump options, and the sixth column your filesystem check options. Dump is for backups, so you can ignore. The sixth column for the filesystem check - that's the one you want. When the system boots up, it determines what order to do a filesystem check (if neede) by the number in the sixth column. If it's a zero, it is not checked, and if there was an error on that system is will be unmounted or read only when the system boots up. I normally use a 1 for my root filesystem to get that checked first, but that's my option. Ok, thank you Jake. I will clone the HDD in a new one just to be sure and leave the old one aside. Thanks! -Sergio Hey guys, today I went to the datacenter to clone the HDD and found the screen like this: http://tinyurl.com/6zhjlk4 However, all services were OK. Anyway I cloned the HDD with G4L from Hirens Boot CD 14.x and replaced the hdd and the sata cable too. Thanks guys! Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: Re: [qmailtoaster] QMT service lock errors
El -10/01/37 16:59, Jake Vickers escribió: On 07/07/2011 11:47 AM, Sergio M wrote: Hi there list. Yesterday I had this weird problem with my QMT box. First, the SMTP and POP3 services stopped to answer. So I ssh'ed in and made a qmailctl stat. Every service looked like this: supervise: fatal: unable to acquire log/supervise/lock: read-only file system So I tried to qmailctl stop and start, but neither of them worked. I decided to reboot. And then I lost connection to the box. After I made it to the datacenter, i found out that it was stuck in the boot sequence, waiting for the root password to be entered to make a manual fsck. I entered passwd, ran 'fsck /' and it fixed some inodes and stuff. It finished booted and everything went to normal. I forced a fsck with 'shutdown -Fr now' and found nothing. So the questions: 1. I found nothing about thise read-only error on the archives. Anyone has any ideas of what might have happened or where to look for possible causes? 2. Is there a way to configure CentOS to do this fsck on boot completely unattended? So that it it reboots again there is no need to go to the NOC to enter root password and run the fsck manually? This is not QMT specific. Look in your messages file for for medium errors - what most likely happened is that there were some bad sectors on the disk, which ended up timing out and causing the system to mount it read only. As far as automtically doing this on a boot (when needed), yes and no. Yes if the system is not in too bad of shape - no if the system is bricked. In your /etc/fstab file, the fifth column is your dump options, and the sixth column your filesystem check options. Dump is for backups, so you can ignore. The sixth column for the filesystem check - that's the one you want. When the system boots up, it determines what order to do a filesystem check (if neede) by the number in the sixth column. If it's a zero, it is not checked, and if there was an error on that system is will be unmounted or read only when the system boots up. I normally use a 1 for my root filesystem to get that checked first, but that's my option. Ok, thank you Jake. I will clone the HDD in a new one just to be sure and leave the old one aside. Thanks! -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] QMT service lock errors
Hi there list. Yesterday I had this weird problem with my QMT box. First, the SMTP and POP3 services stopped to answer. So I ssh'ed in and made a qmailctl stat. Every service looked like this: supervise: fatal: unable to acquire log/supervise/lock: read-only file system So I tried to qmailctl stop and start, but neither of them worked. I decided to reboot. And then I lost connection to the box. After I made it to the datacenter, i found out that it was stuck in the boot sequence, waiting for the root password to be entered to make a manual fsck. I entered passwd, ran 'fsck /' and it fixed some inodes and stuff. It finished booted and everything went to normal. I forced a fsck with 'shutdown -Fr now' and found nothing. So the questions: 1. I found nothing about thise read-only error on the archives. Anyone has any ideas of what might have happened or where to look for possible causes? 2. Is there a way to configure CentOS to do this fsck on boot completely unattended? So that it it reboots again there is no need to go to the NOC to enter root password and run the fsck manually? My QMT data: # qtp-whatami v0.3.7 Thu Jul 7 12:39:23 ART 2011 DISTRO=CentOS OSVER=5.6 QTARCH=x86_64 QTKERN=2.6.18-238.12.1.el5 BUILD_DIST=cnt5064 BUILD_DIR=/usr/src/redhat This machine's OS is supported and has been tested # rpm -qa| grep toaster ezmlm-toaster-0.53.324-1.3.6 ezmlm-cgi-toaster-0.53.324-1.3.6 libsrs2-toaster-1.0.18-1.3.6 maildrop-toaster-devel-2.0.3-1.3.8 qmailmrtg-toaster-4.2-1.3.6 ucspi-tcp-toaster-0.88-1.3.9 maildrop-toaster-2.0.3-1.3.8 simscan-toaster-1.4.0-1.3.8 courier-imap-toaster-4.1.2-1.3.10 squirrelmail-toaster-1.4.20-1.3.17 clamav-toaster-0.97.1-1.3.42 daemontools-toaster-0.76-1.3.6 courier-authlib-toaster-0.59.2-1.3.10 autorespond-toaster-2.0.4-1.3.6 libdomainkeys-toaster-0.68-1.3.6 isoqlog-toaster-2.1-1.3.7 spamassassin-toaster-3.2.5-1.3.17 qmailtoaster-plus-0.3.2-1.4.16 qmailadmin-toaster-1.2.15-1.3.9 qmailtoaster-plus.repo-0.2-2 qmail-toaster-1.03-1.3.20 qmail-pop3d-toaster-1.03-1.3.20 send-emails-toaster-0.5-1.3.7 vpopmail-toaster-5.4.17-1.3.7 ripmime-toaster-1.4.0.6-1.3.6 control-panel-toaster-0.5-1.3.7 vqadmin-toaster-2.3.4-1.3.6 Thanks guys for your help and thoughts! -Sergio -- ___ Sergio Minini NetKey Solutions http://www.netkey.com.ar /** Enviado desde fuera de la oficina **/ - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: Re: [qmailtoaster] Re: SMTP attack
Pak Ogah escribió: div class=moz-text-flowed style=font-family: -moz-fixedOn 07-Mar-11 21:49, Eric Shubert wrote: Great job, Pak. Thanks, Toma. Pak, will you get this incorporated into the wiki? TIA. Ok Eric, it's done but since I just copy-paste as is and re-formatting, I didn't know what that fail2ban meaning (I haven't tried it also) but, I saw something weird. So I would like to ask Sergio, Toma and other who understand fail2ban @Sergio, you create a filter named /etc/fail2ban/filter.d/vpopmail-fail.conf but the regex is searching for vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST and how come on action you blocking smtp port rather then pop3 port action = iptables[name=SMTP, port=smtp, protocol=tcp] @Toma, I have change logpath = /your/path/to/pop3/logs into logpath = /var/log/maillog because that is the log where I can find error vpopmail user not found on qmt system btw I have change action = shorewall into action = iptables[name=SMTP, port=smtp, protocol=tcp] and the question also same, why did you block smtp port for error in pop3 log I think we need standardize fail2ban rules for QMT /div Hi Pak, I created the filter to block IPs that try to log into the SMTP, guessing passwords. Thats why I use a regex that searches for 'password fail' and blocks SMTP and not POP3. I think there's a standard fail2ban filter that blocks POP3 logins, but could not make it work. Regards, Sergio PS: Thanks for the formatting BTW! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric Shubert escribi: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=""> Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). I wrote some basic stuff, but it needs proper wiki formatting, specially the code snipets and quotes. Thanks! -- pre Sergio M mailto:sergio...@gmail.com /pre font face=Verdana, Arial, Helvetica, sans-serif size=3 color=#00CC00bP: /b/fontfont face=Verdana, Arial, Helvetica, sans-serif size=1 color=#66iquest;Realmente necesitaacute;s imprimir este correo electroacute;nico? Ahorremos papel./font - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn Thanks Finn, I will try this one too. Anyone can share a qmail/vpopmail/smtp succesful set of rules for fail2ban? Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn That didnt't work. I tested with fail2ban-regex: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail .*@:HOST | `- Number of matches: [1] 0 match(es) But thanks for the tip Finn. -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi Sergio. If I am reading Your logfile correct You should try to replace *vchkpw-pop3: vpopmail user not found* with *vchkpw-smtp: password fail *and leave everything else. Change this in the filter.d directory and remember to reload fail2ban ( fail2ban-client reload on the CLI) Regards, Finn This one got lots of hits in the regex text: # cat /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = (i took it from the spanish site I posted before) I could also use some other set of rules for qmail. The default one does not get any hits. About fail2ban 1. Everytime I reload it I loose the whole set of banned IPs? Same with rebooting? Can I make them persist? 2. How can I unban a single IP without restarting fail2ban? Thanks! -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi again Sergio. FYI fail2ban unbans the IP after X minutes (X is set i the jail.conf either globally or per 'filter.conf') /Finn Hi, I am banning them for 1 week, but I wanted to know how to unban someone right away if a customer complaints. Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Fail2ban and vpopmail
[from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail] enabled = true port = pop3 filter = vpopmail action = iptables[name=pop3, port=pop3, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 604800 findtime = 3600 [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=25, protocol=tcp] logpath = /var/log/maillog maxretry = 2 bantime = 604800 findtime = 3600 *** vpopmail-fail.conf *** [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = *** vpopmail.conf *** [Definition] failregex = vchkpw-pop3: vpopmail user not found .*@:HOST ignoreregex = Setup being said, I get lots of hits for the vpopmail-fail jail: # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 Not surprisingly, many of them are brazilian IPs. However, check this out: # date Wed Mar 2 10:27:09 ART 2011 tail /var/log/qmail/smtp/current -F | tai64nlocal 2011-03-02 10:22:49.480688500 tcpserver: end 14729 status 0 2011-03-02 10:22:49.480691500 tcpserver: status: 24/25 2011-03-02 10:22:49.480714500 tcpserver: status: 25/25 2011-03-02 10:22:49.480917500 tcpserver: pid 15808 from 187.4.200.17 2011-03-02 10:22:49.481000500 tcpserver: ok 15808 mail.domain.com.ar:11.22.33.44:25 :187.4.200.17::3220 2011-03-02 10:26:29.551470500 tcpserver: end 15477 status 0 2011-03-02 10:26:29.551473500 tcpserver: status: 24/25 2011-03-02 10:26:29.551502500 tcpserver: status: 25/25 2011-03-02 10:26:29.551726500 tcpserver: pid 16348 from 186.191.158.84 2011-03-02 10:26:29.631488500 tcpserver: ok 16348 mail.domain.com.ar:11.22.33.44:25 :186.191.158.84::59586 Look at the speed of my smtp session log!! Like 2 entries in 4 minutes! I tried qmailctl stop/start several times, and no msgs in queue (checked with qmHandle -l) Without fail2ban, it kept at 25 of 25 but just keep flowing. Any ideas? Thanks! -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Fail2ban and vpopmail
Sergio M escribió: [from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail] enabled = true port = pop3 filter = vpopmail action = iptables[name=pop3, port=pop3, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 604800 findtime = 3600 [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=25, protocol=tcp] logpath = /var/log/maillog maxretry = 2 bantime = 604800 findtime = 3600 *** vpopmail-fail.conf *** [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = *** vpopmail.conf *** [Definition] failregex = vchkpw-pop3: vpopmail user not found .*@:HOST ignoreregex = Setup being said, I get lots of hits for the vpopmail-fail jail: # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 Not surprisingly, many of them are brazilian IPs. However, check this out: # date Wed Mar 2 10:27:09 ART 2011 tail /var/log/qmail/smtp/current -F | tai64nlocal 2011-03-02 10:22:49.480688500 tcpserver: end 14729 status 0 2011-03-02 10:22:49.480691500 tcpserver: status: 24/25 2011-03-02 10:22:49.480714500 tcpserver: status: 25/25 2011-03-02 10:22:49.480917500 tcpserver: pid 15808 from 187.4.200.17 2011-03-02 10:22:49.481000500 tcpserver: ok 15808 mail.domain.com.ar:11.22.33.44:25 :187.4.200.17::3220 2011-03-02 10:26:29.551470500 tcpserver: end 15477 status 0 2011-03-02 10:26:29.551473500 tcpserver: status: 24/25 2011-03-02 10:26:29.551502500 tcpserver: status: 25/25 2011-03-02 10:26:29.551726500 tcpserver: pid 16348 from 186.191.158.84 2011-03-02 10:26:29.631488500 tcpserver: ok 16348 mail.domain.com.ar:11.22.33.44:25 :186.191.158.84::59586 Look at the speed of my smtp session log!! Like 2 entries in 4 minutes! I tried qmailctl stop/start several times, and no msgs in queue (checked with qmHandle -l) Without fail2ban, it kept at 25 of 25 but just keep flowing. Any ideas? Thanks! -Sergio Forgot to mention that its creating this in iptables: Chain fail2ban-SMTP (1 references) pkts bytes target prot opt in out source destination 9 384 DROP all -- * * 81.45.219.82 0.0.0.0/0 10 478 DROP all -- * * 190.179.80.9 0.0.0.0/0 9 384 DROP all -- * * 200.144.5.57 0.0.0.0/0 5 212 DROP all -- * * 200.168.49.43 0.0.0.0/0 11 524 DROP all -- * * 200.45.250.178 0.0.0.0/0 10 478 DROP all -- * * 200.174.158.18 0.0.0.0/0 11 521 DROP all -- * * 82.184.45.210 0.0.0.0/0 8 380 DROP all -- * * 189.16.28.34 0.0.0.0/0 12 576 DROP all -- * * 187.52.10.144 0.0.0.0/0 11 470 DROP all -- * * 189.19.225.45 0.0.0.0/0 10 424 DROP all -- * * 189.83.13.110 0.0.0.0/0 11 470 DROP all -- * * 186.125.100.82 0.0.0.0/0 12 576 DROP all -- * * 62.28.171.213 0.0.0.0/0 11 470 DROP all -- * * 201.43.250.172 0.0.0.0/0 12 576 DROP all -- * * 187.65.76.33 0.0.0.0/0 12 576 DROP all -- * * 190.71.218.173 0.0.0.0/0 11 470 DROP all -- * * 189.51.133.83 0.0.0.0/0 11 470 DROP all -- * * 187.35.140.15 0.0.0.0/0 11 470 DROP all -- * * 186.213.97.210 0.0.0.0/0 11 470 DROP all -- * * 186.212.0.15 0.0.0.0/0 11 470 DROP all -- * * 83.43.131.102 0.0.0.0/0 17 758 DROP all -- * * 187.45.22.194 0.0.0.0/0 286 DROP all -- * * 201.27.158.204 0.0.0.0/0 11 470 DROP all -- * * 189.162.44.98 0.0.0.0/0 22 958 DROP all -- * * 200.163.136.98 0.0.0.0/0 5 230 DROP all -- * * 189.19.189.84 0.0.0.0/0 8759 11M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-SPAM (1 references) pkts bytes target prot opt in out source destination 10593 11M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-pop3 (1 references) pkts bytes target prot opt in out
Re: [qmailtoaster] SMTP attack
Finn Buhelt (kirstineslund) escribió: Hi Sergio. 1.There is a *.conf file somewhere on the net that checks fail2ban's own logfile and to a certain extend prevent this from happening.(sorry cann't remember where but will do some investigation and let You kow if I'm successfull) Finn, I think this is what you said: http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban What do you think about this one? Maybe I like it better http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ And to keep the bans upon reloads, if you do a service iptables save and then service iptables restart, it just load them again after the fail2ban-client flushd the iptables rules. Thanks. Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: On 03/02/2011 06:31 AM, Sergio M wrote: [from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail] enabled = true port = pop3 filter = vpopmail action = iptables[name=pop3, port=pop3, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 604800 findtime = 3600 [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=25, protocol=tcp] logpath = /var/log/maillog maxretry = 2 bantime = 604800 findtime = 3600 *** vpopmail-fail.conf *** [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = *** vpopmail.conf *** [Definition] failregex = vchkpw-pop3: vpopmail user not found .*@:HOST ignoreregex = Setup being said, I get lots of hits for the vpopmail-fail jail: # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 Not surprisingly, many of them are brazilian IPs. However, check this out: # date Wed Mar 2 10:27:09 ART 2011 tail /var/log/qmail/smtp/current -F | tai64nlocal 2011-03-02 10:22:49.480688500 tcpserver: end 14729 status 0 2011-03-02 10:22:49.480691500 tcpserver: status: 24/25 2011-03-02 10:22:49.480714500 tcpserver: status: 25/25 2011-03-02 10:22:49.480917500 tcpserver: pid 15808 from 187.4.200.17 2011-03-02 10:22:49.481000500 tcpserver: ok 15808 mail.domain.com.ar:11.22.33.44:25 :187.4.200.17::3220 2011-03-02 10:26:29.551470500 tcpserver: end 15477 status 0 2011-03-02 10:26:29.551473500 tcpserver: status: 24/25 2011-03-02 10:26:29.551502500 tcpserver: status: 25/25 2011-03-02 10:26:29.551726500 tcpserver: pid 16348 from 186.191.158.84 2011-03-02 10:26:29.631488500 tcpserver: ok 16348 mail.domain.com.ar:11.22.33.44:25 :186.191.158.84::59586 Look at the speed of my smtp session log!! Like 2 entries in 4 minutes! I tried qmailctl stop/start several times, and no msgs in queue (checked with qmHandle -l) Without fail2ban, it kept at 25 of 25 but just keep flowing. Any ideas? Thanks! -Sergio - Looks to me like you have some qmail-smtp processes that are hung. I would stop qmail, wait a few seconds for things to terminate on their own, then see what's still running. I'd expect to see some qmail-smtpd processes hanging around. # pkill qmail-smtpd should clean them up. Then start qmail back up again. Hi Eric, I did that several times. 1. qmailctl stop 2. qmailctl stat (nothing running) 3. pkill qmail-smtpd 4. htop (and look for qmail) 4' wait a minute 5. qmailctl start 6. 2011-03-02 13:43:42.362756500 tcpserver: status: 24/25 2011-03-02 13:43:42.362758500 tcpserver: status: 25/25 2011-03-02 13:43:42.362759500 tcpserver: pid 25649 from 200.175.53.14 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. I'm sorry, its starts at 0/25 and then goes up straight to 25/25. What's more annoying is that it just stays frozen for several minutes. (ie from 10:22 to 10:26 in the excerpt that i posted earlier) - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: On 03/02/2011 10:22 AM, Sergio M wrote: Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. I'm sorry, its starts at 0/25 and then goes up straight to 25/25. What's more annoying is that it just stays frozen for several minutes. (ie from 10:22 to 10:26 in the excerpt that i posted earlier) - How long does it take to go from 0 to 25? Please post log. [*sergio*] 2011-03-02 15:00:21.889861500 tcpserver: status: 0/25 2011-03-02 15:00:21.936976500 tcpserver: status: 1/25 2011-03-02 15:00:21.937192500 tcpserver: pid 4 from 190.220.98.37 2011-03-02 15:00:21.937296500 tcpserver: ok 4 mail.srv.com:11.22.33.44:25 :190.220.98.37::2111 2011-03-02 15:00:21.939641500 tcpserver: status: 2/25 2011-03-02 15:00:21.939831500 tcpserver: pid 5 from 200.68.95.162 2011-03-02 15:00:21.939903500 tcpserver: ok 5 mail.srv.com:11.22.33.44:25 :200.68.95.162::3643 2011-03-02 15:00:22.333105500 CHKUSER accepted rcpt: from activacio...@annoy.com:activacio...@annoy.com: remote wksact11:unknown:200.68.95.162 rcpt aalle...@annoy.com : found existing recipient 2011-03-02 15:00:22.333137500 policy_check: local activacio...@annoy.com - local aalle...@annoy.com (AUTHENTICATED SENDER) 2011-03-02 15:00:22.333187500 policy_check: policy allows transmission 2011-03-02 15:00:22.364550500 CHKUSER accepted rcpt: from activacio...@annoy.com:activacio...@annoy.com: remote wksact11:unknown:200.68.95.162 rcpt btorrecil...@annoy.com : found existing recipient 2011-03-02 15:00:22.364567500 policy_check: local activacio...@annoy.com - local btorrecil...@annoy.com (AUTHENTICATED SENDER) 2011-03-02 15:00:22.364607500 policy_check: policy allows transmission 2011-03-02 15:00:22.368362500 tcpserver: status: 3/25 2011-03-02 15:00:22.368573500 tcpserver: pid 11125 from 200.68.95.162 2011-03-02 15:00:22.368672500 tcpserver: ok 11125 mail.srv.com:11.22.33.44:25 :200.68.95.162::2918 2011-03-02 15:00:22.520284500 tcpserver: status: 4/25 2011-03-02 15:00:22.520466500 tcpserver: pid 11128 from 200.50.190.6 2011-03-02 15:00:22.520560500 tcpserver: ok 11128 mail.srv.com:11.22.33.44:25 :200.50.190.6::19057 2011-03-02 15:00:22.756345500 CHKUSER accepted rcpt: from claudianu...@suservicio-sa.co.jp:administrac...@suservicio-sa.co.jp: remote [192.168.1.119]:unknown:190.220.98.37 rcpt pamelaballeste...@suservicio-sa.co.jp : found existing recipient 2011-03-02 15:00:22.756380500 policy_check: local administrac...@suservicio-sa.co.jp - local pamelaballeste...@suservicio-sa.co.jp (AUTHENTICATED SENDER) 2011-03-02 15:00:22.756496500 policy_check: policy allows transmission 2011-03-02 15:00:22.827357500 tcpserver: status: 5
Re: [qmailtoaster] Re: Fail2ban and vpopmail
#!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) Well Eric, thanks for your reply. Load # top top - 16:01:49 up 4 days, 19:13, 1 user, load average: 0.18, 0.33, 0.42 Tasks: 264 total, 1 running, 263 sleeping, 0 stopped, 0 zombie Cpu(s): 2.1%us, 0.5%sy, 0.0%ni, 93.1%id, 4.3%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 1026432k total, 987040k used,39392k free,18456k buffers Swap: 2064376k total,36592k used, 2027784k free, 275032k cached Would you suggest stepping spamd childs from 8 to 16 and incoming connections to 64? Serious tuning (or tuning at all) its the hardest part! thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: On 03/02/2011 12:04 PM, Sergio M wrote: #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) Well Eric, thanks for your reply. Load # top top - 16:01:49 up 4 days, 19:13, 1 user, load average: 0.18, 0.33, 0.42 Tasks: 264 total, 1 running, 263 sleeping, 0 stopped, 0 zombie Cpu(s): 2.1%us, 0.5%sy, 0.0%ni, 93.1%id, 4.3%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 1026432k total, 987040k used, 39392k free, 18456k buffers Swap: 2064376k total, 36592k used, 2027784k free, 275032k cached Would you suggest stepping spamd childs from 8 to 16 and incoming connections to 64? Serious tuning (or tuning at all) its the hardest part! thanks! - I'm presuming you have nothing else on this host besides QMT, right? I'd go with 20 spamd children and 100 incoming connections for a start, and see what happens. I expect more adjustments will be needed, but let's see what happens with that. Need to look at what (if anything, like smtp sessions, spamd children) is maxing out at that point, what cpu and ram use looks like, and load. Server only has QMT and is a NS well I started as i said with 64 concurrencyincoming and 16 spamd childs. Look: 2011-03-02 16:22:12.031650500 tcpserver: status: 0/64 2011-03-02 16:22:12.390714500 tcpserver: status: 1/64 2011-03-02 16:22:12.390922500 tcpserver: pid 27873 from 189.62.183.77 2011-03-02 16:22:12.391015500 tcpserver: ok 27873 mail.srv.com:11.22.33.44:25 :189.62.183.77::52708 (...) 2011-03-02 16:23:18.311763500 tcpserver: status: 62/64 2011-03-02 16:23:18.311765500 tcpserver: pid 29682 from 190.228.129.235 2011-03-02 16:23:18.311766500 tcpserver: ok 29682 mail.srv.com:11.22.33.44:25 :190.228.129.235::36885 2011-03-02 16:23:18.333234500 tcpserver: status: 63/64 2011-03-02 16:23:18.333424500 tcpserver: pid 29683 from 190.228.129.235 2011-03-02 16:23:18.333495500 tcpserver: ok 29683 mail.srv.com:11.22.33.44:25 :190.228.129.235::36888 2011-03-02 16:23:18.344837500 tcpserver: status: 64/64 2011-03-02 16:23:18.345021500 tcpserver: pid 29684 from 190.228.129.235 (...) 2011-03-02 16:29:55.588523500 tcpserver: status: 63/64 2011-03-02 16:29:55.588524500 tcpserver: status: 64/64 2011-03-02 16:29:55.588641500 tcpserver: pid 31540 from 201.3.48.146 2011-03-02 16:29:55.588727500 tcpserver: ok 31540 mail.netkey.com.ar:200.80.35.42:25 :201.3.48.146::43940 2011-03-02 16:29:57.377222500 tcpserver: end 29432 status 0 2011-03-02 16:29:57.377225500 tcpserver: status: 63/64 2011-03-02 16:29:57.377249500 tcpserver: status: 64/64 2011-03-02 16:29:57.377445500 tcpserver: pid 31551 from 200.69.10.175 2011-03-02 16:29:57.377530500 tcpserver: ok 31551 mail.netkey.com.ar:200.80.35.42:25 :200.69.10.175::47860 # top top - 16:31:33 up 4 days, 19:43, 1 user, load average: 0.51, 0.77, 0.67 Tasks: 348 total, 1 running, 347 sleeping, 0 stopped, 0 zombie Cpu(s): 6.1%us, 1.0%sy, 0.0%ni, 84.9%id, 7.7%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 1018164k used, 8268k free,16096k buffers Swap: 2064376k total,36592k used, 2027784k free, 265360k cached So, should I increase to 100 and 20 childs anyway? Thanks Eric. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: On 03/02/2011 12:32 PM, Sergio M wrote: Eric Shubert escribió: On 03/02/2011 12:04 PM, Sergio M wrote: #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) Well Eric, thanks for your reply. Load # top top - 16:01:49 up 4 days, 19:13, 1 user, load average: 0.18, 0.33, 0.42 Tasks: 264 total, 1 running, 263 sleeping, 0 stopped, 0 zombie Cpu(s): 2.1%us, 0.5%sy, 0.0%ni, 93.1%id, 4.3%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 1026432k total, 987040k used, 39392k free, 18456k buffers Swap: 2064376k total, 36592k used, 2027784k free, 275032k cached Would you suggest stepping spamd childs from 8 to 16 and incoming connections to 64? Serious tuning (or tuning at all) its the hardest part! thanks! - I'm presuming you have nothing else on this host besides QMT, right? I'd go with 20 spamd children and 100 incoming connections for a start, and see what happens. I expect more adjustments will be needed, but let's see what happens with that. Need to look at what (if anything, like smtp sessions, spamd children) is maxing out at that point, what cpu and ram use looks like, and load. Server only has QMT and is a NS well I started as i said with 64 concurrencyincoming and 16 spamd childs. Look: 2011-03-02 16:22:12.031650500 tcpserver: status: 0/64 2011-03-02 16:22:12.390714500 tcpserver: status: 1/64 2011-03-02 16:22:12.390922500 tcpserver: pid 27873 from 189.62.183.77 2011-03-02 16:22:12.391015500 tcpserver: ok 27873 mail.srv.com:11.22.33.44:25 :189.62.183.77::52708 (...) 2011-03-02 16:23:18.311763500 tcpserver: status: 62/64 2011-03-02 16:23:18.311765500 tcpserver: pid 29682 from 190.228.129.235 2011-03-02 16:23:18.311766500 tcpserver: ok 29682 mail.srv.com:11.22.33.44:25 :190.228.129.235::36885 2011-03-02 16:23:18.333234500 tcpserver: status: 63/64 2011-03-02 16:23:18.333424500 tcpserver: pid 29683 from 190.228.129.235 2011-03-02 16:23:18.333495500 tcpserver: ok 29683 mail.srv.com:11.22.33.44:25 :190.228.129.235::36888 2011-03-02 16:23:18.344837500 tcpserver: status: 64/64 2011-03-02 16:23:18.345021500 tcpserver: pid 29684 from 190.228.129.235 (...) 2011-03-02 16:29:55.588523500 tcpserver: status: 63/64 2011-03-02 16:29:55.588524500 tcpserver: status: 64/64 2011-03-02 16:29:55.588641500 tcpserver: pid 31540 from 201.3.48.146 2011-03-02 16:29:55.588727500 tcpserver: ok 31540 server.com:11.22.33.44:25 :201.3.48.146::43940 2011-03-02 16:29:57.377222500 tcpserver: end 29432 status 0 2011-03-02 16:29:57.377225500 tcpserver: status: 63/64 2011-03-02 16:29:57.377249500 tcpserver: status: 64/64 2011-03-02 16:29:57.377445500 tcpserver: pid 31551 from 200.69.10.175 2011-03-02 16:29:57.377530500 tcpserver: ok 31551 server.com:11.22.33.44:25 :200.69.10.175::47860 # top top - 16:31:33 up 4 days, 19:43, 1 user, load average: 0.51, 0.77, 0.67 Tasks: 348 total, 1 running, 347 sleeping, 0 stopped, 0 zombie Cpu(s): 6.1%us, 1.0%sy, 0.0%ni, 84.9%id, 7.7%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 1018164k used, 8268k free, 16096k buffers Swap: 2064376k total, 36592k used, 2027784k free, 265360k cached So, should I increase to 100 and 20 childs anyway? Thanks Eric. - Sure. The thing's barely working. CPU is 85% idle, and no apparent paging yet. How many spamd children have kicked in? Might want to increase --min-children number to 12 or so, or whatever number ends up being your average number that are running. You can easily see this in the spamd log. Keep in mind, there's loads of messages that have backed up, so you'll be seeing inordinately high activity for a while, perhaps several hours. Heres an excerpt from /var/log/qmail/spamd/current. Which number are you telling me about? 2011-03-02 16:51:27.025666500 [2627] info: prefork: child states: II 2011-03-02 16:51:33.587155500 [3286] info: spamd: connection from server
Re: [qmailtoaster] Re: Fail2ban and vpopmail
I can say that with 64 concurrencyincoming and 16 spamd childs (and a magic reboot, just in case) its now flowing smoothly and the sessions are under 40/64 most of the time. (for now) # top top - 17:19:24 up 43 min, 1 user, load average: 0.55, 0.73, 0.95 Tasks: 269 total, 1 running, 268 sleeping, 0 stopped, 0 zombie Cpu(s): 5.2%us, 0.9%sy, 0.0%ni, 81.8%id, 11.9%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 965996k used,60436k free,29036k buffers Swap: 2064376k total, 120k used, 2064256k free, 393428k cached I want to thanks you guys, and specially Eric for backing me up on this one. But i should say that we'd all like to see some fail2ban config files and working setups for qmail and vpopmail. Havent got much of that yet. Thanks! Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
Eric Shubert escribió: Sergio, .) Be sure you're running the latest spamdyke (4.2.0). 4.1.x versions had a bug where rejected sessions would not terminate immediately, causing excessive idle smtp sessions (and ultimately TIMEOUTs). That may no be affecting you, but you should check to be sure. Run qtp-install-spamdyke to upgrade to the latest version. .) I would recommend installing fail2ban. This will automatically ban IP addresses which have several failed login attempts. There doesn't appear to be a wiki page about this yet (ANY TAKERS??), but you should find info about it in the list archives. Someone here should be able to help if you run into difficulty with it. (Not me though, as I haven't implemented it yet). .) 25 smtp sessions is rather low. I've seen a Celeron 1GH processor handle twice that number. You might need to bump up the spamassassin child processes to get there, but it should be doable. What are your HW specs? That's all that comes to my mind right now. Let us know how you make out. Thanks Eric! I updated spamdyke this morning. I have a Quad-Core AMD Opteron(tm) Processor 1354 cpu MHz : 1100.000 with 1Gb RAM. Using 25 sessions, in a normal day its never gets past 20 of 25. I thought about raising them, but they will all get used by spammers. What about those child processes you mentioned? I am also looking at fail2ban. @Carlos: Graylisting is not working because mail is not accepted, but the sessions are used anyway. Thanks guys! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
I think he said he is not an user yet, but i am looking at: http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html Tony White escribió: Eric, Do you have Fail2Ban working with the qmail logs? On 02/03/2011 12:24 PM, Eric Shubert wrote: Yes, but the attacks appear to be coming from a variety of addresses. fail2ban will do essentially this automatically and for whatever addresses attacks may come from. fail2ban is much better solution imo. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
Michael Colvin escribió: Are all of the username portions of the e-mail addresses legitimate e-mails? IE, it looks like you cleansed the domain portion, but, in the log, are the all, or most, of the e-mails legitimate? I've seen this with random attempts at guessing e-mails and passwords, but not with all legit e-mails. If they are all legit, is the domain yours? Or is it theirs? (IE do you host it as an ISP, or is this the only domain and you control it?) Michael J. Colvin NorCal Internet Services www.norcalisp.com Hi Michael, they are all legitimate email addresses, for one domain only though. We host it as an ISP. Thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
South Computers escribió: Sounds like they may have gotten hit with a virus or pissed someone off. I would block the domain from relaying inform the customer, possibly make them change their email account passwords if it's not a large organization. Ask them to relay through their provider if possible for the time being. Fail2ban would be the best solution for the time being as previously mentioned. The passwords are all wrong. they are all like: mail vpopmail[31082]: vchkpw-smtp: password fail (pass: 'edos1kd9') eduardos...@domain.com:201.82.74.70 The domain is blocked in spamdyke, unless they authenticate and bypass the filters, so that is covered. But the smtp sessions are used nevertheless. I installed fail2ban (from the repos mentioned in fail2ban.org) but cannot make it work with the smtpd. I tried with http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg23951.html but i think it has a conf file missing and the vpopmail is for pop3. I also tried with http://notes.benv.junerules.com/all/software/qmail-spamdyke-and-fail2ban/#more-539 but cannot make it work with the RBL_MATCH filter. Any tips from satisfied fail2ban users? Thanks! Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SMTP attack
I found this to use fail2ban to block vpopmail failed passwd attempts, but cannot make it work. Its in spanish, but the code is in english anyway. http://systemadmin.es/2011/01/anadir-nuevas-reglas-de-filtrado-a-fail2ban any ideas, specially about the regex? Thanks! -Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com