The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

could excessive cpanelpop bring server down?

Discussion in 'E-mail Discussions' started by akucharski, Apr 7, 2007.

  1. akucharski

    akucharski Member

    Joined:
    May 17, 2005
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I had my cPanel server go unresponsive last night. Upon review of the logs one suspicious activity is hundreds of these entries:

    Apr 6 21:56:46 dl380 cpanelpop[17135]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17136]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17137]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17138]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17139]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17140]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17141]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17142]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17143]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17144]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17145]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:46 dl380 cpanelpop[17146]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17147]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17148]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17149]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17150]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17152]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17153]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17154]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17155]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17156]: Connection from host=n.n.n.n to ip=n.n.n.n
    Apr 6 21:56:47 dl380 cpanelpop[17157]: Connection from host=n.n.n.n to ip=n.n.n.n

    Could it be possible that this locked the server up? Has anyone seen this?

    We run apf, but upon further investigation of this forum we stumbled upon ConfigServer Security & Firewall (csf), would this adaptive fw be able to react to this type of atack.
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    It could kill the server, since I think each connect will load a pop session, use up memory and cpu time/performance.

    I know if some idiot on my server keeps hitting reload of webmail while waiting for it to load and they have a huge inbox (mbox) it will kill the servers performance until the system grinds to a halt.
     
  3. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    CSF would offer connection limits and temporarily disable access to pop if they used their allocated connections per hour as set in csf config. CSF would be a wise choice. It will also uninstall APF automatically and configure your ingress and egress ports efficiently.
     
  4. akucharski

    akucharski Member

    Joined:
    May 17, 2005
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    csf

    We have installed CSF and have been very impressed and happy. Of course time will tell but so far so good. No matter how many times I look at brute force attack logs it never stops amazing my how many unscrupulous computers are out there trying to get access to your machine.
     
  5. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    This is very true. Consider changing your ssh port to something uncommon. It seems once you have a vital port accessible, a box gets marked as a target but it will stop after a while.

    I have many clients experience this and constantly get run into the ground until I secure the box and set strict access rules. It took about 6 weeks but nothing significant anymore. No more high loads, floods or massive spam attacks or sql injection attempts.

    Best of all, the box only reboots for kernel updates and not on a daily basis any longer.
     
Loading...

Share This Page