iptables, port scan, sendmail overload

From: "Dave" <david.greenhall@xxxxxxxxxxxxxxxx>
Date: 21 Dec 2006 01:02:37 -0800

Hi everyone,

I am more of a novice than an expert when it comes to linux problems,
but last night I decided to do a port scan on our server at work, to
make sure it was fit to handle the Christmas holidays all alone.

So when i got home, i started the port scan off using AATools Port
Scanner for windows and went out. When i got back, it was showing me
that there was around 15 ports open (all UDP) on weird ports... as you
can imagine i started getting worried. I had rewritten the rules that
day to make sure they was all ok.

Anyway, to cut it a little short, Got to work this morning, to find
that sendmail had died with the following error messages:

Dec 21 08:14:53 mail sendmail[8672]: rejecting connections on daemon
MSA: load average: 129
Dec 21 08:15:08 mail sendmail[8672]: rejecting connections on daemon
MTA: load average: 129
Dec 21 08:15:08 mail sendmail[8672]: rejecting connections on daemon
MSA: load average: 129
Dec 21 08:15:23 mail sendmail[8672]: rejecting connections on daemon
MTA: load average: 129

After surfing the internet to find the cause of this, with people
suggesting it might be apache, I shut apache down. Even though the CPU
was not showing any load for apache, this did not solve the problem. So
back to searching google, i eventually found someone who suggested it
was a network problem. So i turned my firewall off, thinking it might
have been the port scan i did the night before.

Straight away the load started coming down, and within a few minutes
returned to normal.

Does anyone know why this sort of thing should happen. I thought that a
firewall should just ignore this sort of thing, not crash and fall
over. If anyone could shed any light on this, i would be most grateful.

Thanks

Dave.

.

Follow-Ups:
- Re: iptables, port scan, sendmail overload
  - From: Moe Trin

Prev by Date: Re: HELP! I've been had! Someone hacked into my Linux box. What now?
Next by Date: Quake3 protocol
Previous by thread: iptables easy to understand articles/pdf
Next by thread: Re: iptables, port scan, sendmail overload
Index(es):
- Date
- Thread

Relevant Pages

Re: pf vs. RST attack question
... as changes on your servers expose new attack vectors and as attackers discover ... wishing to speak to BIND on port 53, Apache on 80/443, etc.). ... which caused pflog to go crazy with logging. ... sporting a load average between 40 and 50, ...
(freebsd-questions)
Re: File permissions for a wiki-like site
... to a single web server went out with browsers that don't understand ... Actually you can, and often do, have multiple instances of Apache listening on port 80.. ...
(comp.lang.php)
RE: Accessing private information
... you to sort the results by time the packet arrived, port, source, ... I want to see my yahoo messenger texts on the server. ... >> Through that server, network users are chatting by MSN, Yahoo ...
(RedHat)
Re: File permissions for a wiki-like site
... to a single web server went out with browsers that don't understand ... Actually you can, and often do, have multiple instances of Apache listening on port 80.. ...
(comp.lang.php)
Re: Error 49, socket problem?
... I doubt it's a DoS attack, however it could very well be. ... apache runs on port 80 and 81. ... I've ruled out that it's a problem with the MySQL server in this case, ...
(freebsd-net)