How to kill these connects - Filling log

[Brad]

I'm getting thousands of these, saw var partition go to 97% in last hour..

Here is why

A user is hitting pop non-stop -

Sep 13 23:12:26 apollo cpanelpop[18940]: Connection from host=lsanca1-ar21-4-41-061-078.lsanca1.elnk.dsl.genuity.net to ip=209.197.228.27

Sep 13 23:18:26 apollo cpanelpop[20220]: Session Closed host=lsanca1-ar21-4-41-061-078.lsanca1.elnk.dsl.genuity.net ip=4.41.61.78 user=root realuser= totalxfer=129

How do I limit pop connections per minute?



Also, - how do I lock these ip's out?

 

[Brad]

This needs to be looked into promptly Nick

During this apparent attack it was evident that there needed to be some kind of control of pop sessions in cpanels pop server to prevent this flooding from occurring and to turn off the logging.

I'm not sure if it is possible Nick but some more people will fall fate to what happened to us the other night if this hole is not blocked.

Our server was being flooded with pop connects and rapidly filled up the maillog and var partition within very little time. The partition is not the biggest on most systems, we have like 1-gig free space, which is plenty, but it was not enough in this situation. I will probably be moving these logs to a larger partition to give more time for us, if this happens again.

What happened?

A popular Windows chat program called Trillian, I'm sure many of you are familiar with, went crazy for a user on our system after installing a module for it, to check their pop mail account.

The user had no idea what was going on but it was connecting to our pop server at a very rapid rate, the server showed no signs of an attack, it was handling the sessions just fine. The first sign we had, was our disk partition flew up to 98% useage within the hour, I just happened to check at the right time!!

After scrambling to see where the problem was occuring, I first looked at the logs and found the maillog filling up rapidly and connections coming from the user.

I promptly suspended the account, since there is no way to stop pop sessions at the server level with the cpanel pop software, at least I have no idea how? It runs outside of the hosts.deny, I could have easily banned his IP in there but not just pop3.

Even after suspending the account, his system was still trying to connect and filling up the log with connections but I had a control on it at that time and wanted to see if he would stop. I figured it was some kind of software error, did not fit the usual type of attack.

So, could we have a limit on pop3 connects per minute or some kind of control here to prevent this from happening. Stop logging the connects if possible too at the maillog when this occurs.

This is an easy way to bring down any cpanel server, just keep flooding them with pop connects, doesn't matter if you have an account there or not, you will fill their log up quickly with a good flood rate.

Any ideas are appreciated..

Brad

 

[rpmws]

I had this happen to me a month ago. Log was filled up slam packed. In the log I saw like 10 connects per second from his dsl line. I to suspended and didn't help. I called the guy and he said he just installed something as well. To stop it he had to un-plug his machine.

I am not sure how we can do this. We would have to have some kind of flood checker. I check mail every minute and many do on my servers. It's that constant every 2 seconds or faster that can kill us quick.

 

[Brad]

Yes, I guess I will open a support ticket on this one and see what he has to say about it. It would be nice to receive a message alert from the system when disk usage suddenly spikes or at very least, becomes a red flag. Send it to a pager or email address for notification. This one will pull the pants down on any cpanel server quickly.



[quote:4ebbfbac31][i:4ebbfbac31]Originally posted by rpmws[/i:4ebbfbac31]

I had this happen to me a month ago. Log was filled up slam packed. In the log I saw like 10 connects per second from his dsl line. I to suspended and didn't help. I called the guy and he said he just installed something as well. To stop it he had to un-plug his machine.

I am not sure how we can do this. We would have to have some kind of flood checker. I check mail every minute and many do on my servers. It's that constant every 2 seconds or faster that can kill us quick.[/quote:4ebbfbac31]