On Tue, 2007-01-30 at 15:11 -0600, Vernon A. Fort wrote:
> The connections to the pop3d were from ONE specific host which had 525
> connections within 20 minutes.
That's merely connection every 2 seconds.
That shouldn't be a big deal, unless connections were left open
and idle on purpose.
Medium size office sitting behind a NAT can easily do that.
> Around 20 minutes after the first
> badlogin from this host is when the "Too many open files" started
> appearing. It appears to be a DoS attach which just overwhelmed the
> server.
Anyway if that's the anomaly you found it may be it.
> I added a maxchild=30 to the cyrus.conf pop2 SERVICES.
That's the one limit one should have.
For more detailed limits ( like sessions per ip, new connections per ip
in period of time and so on ) you may want to take a look at bsd packet
filter.
M.
--
Mirosław "Psyborg" Jaworski
GCS/IT d- s+:+ a C++$ UBI++++$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O-
M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y?
"Veni, Vedi, Visa: I came. I saw. I did a little shopping."
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
