Re: iptables, port scan, sendmail overload
- From: "Dave" <david.greenhall@xxxxxxxxxxxxxxxx>
- Date: 21 Dec 2006 22:51:02 -0800
Moe Trin wrote:
On 21 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
<1166691757.194963.140340@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, Dave wrote:
I am more of a novice than an expert when it comes to linux problems,
but last night I decided to do a port scan on our server at work, to
make sure it was fit to handle the Christmas holidays all alone.
Normally, before I do the portscan, I like to look at the output of
/bin/netstat -anptu to see what the system knows is flapping in the
breeze.
So when i got home, i started the port scan off using AATools Port
Scanner for windows and went out. When i got back, it was showing me
that there was around 15 ports open (all UDP) on weird ports... as you
can imagine i started getting worried. I had rewritten the rules that
day to make sure they was all ok.
Not using windoze, I have no idea what 'AATools' may have tried. Most
people use 'nmap'. Does netstat show these ports open now? If so, what
process has them open?
Anyway, to cut it a little short, Got to work this morning, to find
that sendmail had died with the following error messages:
Dec 21 08:14:53 mail sendmail[8672]: rejecting connections on daemon
MSA: load average: 129
Dec 21 08:15:08 mail sendmail[8672]: rejecting connections on daemon
MTA: load average: 129
OK - something running around in circles hogging all the CPU cycles,
and sendmail rightly decided not to add to the bonfire. Well, you've at
least discovered you've got a DOS problem.
So i turned my firewall off, thinking it might have been the port scan
i did the night before.
Straight away the load started coming down, and within a few minutes
returned to normal.
Ok, so what is/was your firewall ruleset looking like?
Does anyone know why this sort of thing should happen. I thought that a
firewall should just ignore this sort of thing, not crash and fall
over. If anyone could shed any light on this, i would be most grateful.
Well, first off I prefer not to run the firewall on the same box as the
mail or web server. This may be OK for a home setup, but a business
shouldn't be doing that. Secondly, what have you got the firewall doing?
Based on your post to comp.os.linux.networking on the 18th, and your
statement above, you've changed the firewall setup. What was hogging the
CPU cycles? Was this some 'reactive' firewall function (if "attacked",
do "this")? Obviously, a lot depends on your perceived threat that
you have configured the firewall to block, and what services you are
offering to how much of the world, but I like to see comparatively
simple firewall setups.
Lessee, I only see two responses to your c.o.l.n post - Bit pointed you
to netfilter.org and iptables-tutorial.frozentux.net. I like to refer
people to Rusty Russell's (author of the firewall code in the kernel)
site at http://www.iptables.org/documentation/HOWTO/
Old guy
Thanks for the reply,
Yes i did change the firewall settings, but still using webmin /
turtlefirewall (I have not mastered doing it manually in iptables yet)
The machine has 3 network cards in it 1 external and 2 internal.
The firewall was setup to do the following:
firewall to external (all services)
external to firewall (smtp, http)
firewall to localnetwork (all services)
external to firewall (reject all)
Dave.
.
- Follow-Ups:
- Re: iptables, port scan, sendmail overload
- From: Moe Trin
- Re: iptables, port scan, sendmail overload
- References:
- iptables, port scan, sendmail overload
- From: Dave
- Re: iptables, port scan, sendmail overload
- From: Moe Trin
- iptables, port scan, sendmail overload
- Prev by Date: Re: Quake3 protocol
- Next by Date: Re: FIPS compliant packages
- Previous by thread: Re: iptables, port scan, sendmail overload
- Next by thread: Re: iptables, port scan, sendmail overload
- Index(es):
Relevant Pages
|
|
