Re: cyrus 2.5 imap idle/stuck connections (DOS like)

[Ivan Kuznetsov <kia@xxxxxxxx>]

Hello

iptables -A INPUT -p tcp --syn --dport 143 -m connlimit 
--connlimit-above 8 -j REJECT

This will limit established imap connections to 8 per ip


07.03.2019 17:39, Heiler Bemerguy via Info-cyrus пишет:
> Yes I've read imapd.conf and cyrus.conf and found no options to limit 
> connections per source IP or "idleness"..
>
> It means anyone can open a lot of connections to any port (143, 25, 110 
> etc) and render the server unusable??
>
> I'm using Debian, so I'll try to figure out how to do that with 
> iptables.. Thanks!
>
>
> Best Regards,
>
> Heiler Bensimon Bemerguy - CINBESA
> Analista de Redes, Wi-Fi,
> Virtualização e Serviços Internet
> (55) 91 98151-4894
>
> Em 07/03/2019 11:25, Willem Offermans escreveu:
> > Dear Cyrus friends and Heiler Bensimon Bemerguy,
> >
> > You could use your firewall to achieve this.
> >
> > For ipfw:
> >
> > ${fwcmd} add pass tcp from any to ${ip_me} imap setup limit src-addr 10
> >
> > You have to lookup the right syntax for your firewall.
> >
> > Dit you check man imapd or man cyrus, maybe there is also an option 
> > for the daemon itself, but I would prefer the firewall.
> >
> >
> > Wiel Offermans
> > Willem@xxxxxxxxxxxxxxxxxxx <mailto:Willem@xxxxxxxxxxxxxxxxxxx>
> >
> >
> >
> >
> > > On 7 Mar 2019, at 14:53, Heiler Bemerguy via Info-cyrus 
> > > <info-cyrus@xxxxxxxxxxxxxxxxxxxx 
> > > <mailto:info-cyrus@xxxxxxxxxxxxxxxxxxxx>> wrote:
> > >
> > > Hail,
> > >
> > > I've noticed an user with ~200 open connections to cyrus imap port 
> > > (143) and, because of him, no one else could login to the server.
> > >
> > > I've noticed even with a single "telnet ip 143", the connection is 
> > > accepted and never ever dropped, even while still unauthenticated.
> > >
> > > How to stop that from happening?
> > >
> > > cyrus.conf:
> > > imap            cmd="imapd -U 30" listen="imap" prefork=6 maxchild=200
> > >
> > >
> > > --
> > > Atenciosamente,
> > >
> > > Heiler Bensimon Bemerguy - CINBESA
> > > Analista de Redes, Wi-Fi,
> > > Virtualização e Serviços Internet
> > > (55) 91 98151-4894
> > >
> > > ----
> > > Cyrus Home Page: http://www.cyrusimap.org/
> > > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> > > To Unsubscribe:
> > > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

--
С уважением, Иван Кузнецов
Руководитель технического отдела

Компания "СОЛВО"
+7(812)60-60-555
+7(495)66-83-003
+7(921)740-72-61
http://www.solvo.ru
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus