Re: pop3d exploit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2007-01-30 at 15:11 -0600, Vernon A. Fort wrote:
> The connections to the pop3d were from ONE specific host which had 525 
> connections within 20 minutes.

That's merely connection every 2 seconds.
That shouldn't be a big deal, unless connections were left open 
and idle on purpose.
Medium size office sitting behind a NAT can easily do that.

> Around 20 minutes after the first 
> badlogin from this host is when the "Too many open files" started 
> appearing.  It appears to be a DoS attach which just overwhelmed the 
> server.

Anyway if that's the anomaly you found it may be it. 

> I added a maxchild=30 to the cyrus.conf pop2 SERVICES.

That's the one limit one should have.
For more detailed limits ( like sessions per ip, new connections per ip
in period of time and so on ) you may want to take a look at bsd packet
filter.

M.

-- 
Mirosław "Psyborg" Jaworski
GCS/IT d- s+:+ a C++$ UBI++++$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O-
M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y?
         "Veni, Vedi, Visa: I came. I saw. I did a little shopping."

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux