The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

problem whit cppop

Discussion in 'General Discussion' started by jackie46, Apr 9, 2006.

  1. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Try limiting the number of connections that a ip can make to port 25. Our limit is 3 after that we deny it. Simple as that.
     
  2. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Hi, i have aproblem whit cppop daemon..
    im constantly under DDoS attacks .. the server response very very well but
    the server crash when botnets attacks the port 110 used by the cppop daemon
    ...in that moment
    the cppop creates more than 1500 process and then the box crash.

    i need limit the conections per ip to that port of limit the conecctions to cppop can handle in the same time..

    this is possible¿

    please help ..
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    For cppop, you can try enabling both:

    WHM > Tweak Settings > Attempt to prevent pop3 connection floods
    WHM > Tweak Settings > The number of times users are allowed to check their mail using pop3 per hour > set to 60

    If that doesn't help, you'll have to look into iptables rules to rate limit connections to port 110, or speak to your NOC and have them try and stop the DOS on their routers.
     
  4. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    thanx chirpy but...i have already set the flood pop3 protection and the limit 60 users..
    but the attack consist in create conections to port whitout authorization .. so just open the port of the aplication. and this is a very very very bad bad problem.. because the cppop run out of control when is attacked an create a lot of process.
    the problem was fixed anyway.
    my NOC has an DDoS protection against bandwidht attacks but not against service based attacks ..whatever to resolve this case.. i just update the cppop to maildir boxs.. using the /convert2maildir script in the /scripts path.
    is amazing the changes in the pop3 operative.
    now when i recive an attack the cppop consume only 20 process for 3000 conections .. and the service not crash!!! works very nice.
    now i just need do the same whit the cpsrvd .. <-- thats other dangerous service..
    because creat a lot of process consuming all the CPU usage.
    bye and thanks chirpy
     
  5. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    :eek: :eek: :( :( :( damm .. maildir screw up my mail boxes..
    now all the time refuse the conections whit
    pr 10 21:05:38 omega pop3d: LOGIN, user=administracion@west-domains.com, ip=[::ffff:24.232.17.203]
    Apr 10 21:05:38 omega pop3d: scancur opendir("cur"): No such file or directory
    Apr 10 21:05:41 omega pop3d: chdir mail: No such file or directory
    Apr 10 21:05:43 omega pop3d: chdir mail: No such file or directory
    Apr 10 21:06:03 omega pop3d: LOGIN, user=administracion@west-domains.com, ip=[::ffff:24.232.17.203]
    Apr 10 21:06:03 omega pop3d: scancur opendir("cur"): No such file or directory
    Apr 10 21:06:05 omega pop3d: chdir mail: No such file or directory
    Apr 10 21:06:07 omega pop3d: chdir mail: No such file or directory
    Apr 10 21:09:18 omega pop3d: chdir mail: No such file or directory

    i must reconvert to mbox again . and the dammit problems whit ddos attacks .. come back.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I've had that issue when on EDGE just now. Downgraded to RELEASE and courier-imap started working correctly again.
     
  7. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    i have a problem whit the release version .. over Freebsd cpanel in the release version doesnt works.. all the control panels.. gives blank page.
    :\
    anyway i set rules to control the DDoS but .. i like the imap implementation
    i hope in the future cpanel fix this issue for freebsd and all versions.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The courier imap issue in EDGE has been fixed (see the changelog)
     
  9. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    And verified to be fixed. Just did a upgrade to E25 and it worked perfect :D
     
  10. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    the problem whit courier imap /pop3

    The problem whit the courier imap/pop3 pernsist but i find the way to limit the cppop active proccess and manage and secure all the cpanel problems caused for DDoS and /DoS problems.

    IPSecure NetWork use firewalls and filters but is not enogh so whit freebsd and ipfw i can limit all the sources ips for destiny ports.
    an example: i only allow 4 conections per ip to the port 110 .. whit this configuration i can control all the cppop floods attacks and the same against cprsrvd .

    kiddies attackme whit more than 5 k botnets and the server only got 3.0 load average.
    amazing ha? the firewalls and a good security configurations is the best.

    i hope cpanel fix this problems for users whit not posibilities tohave an isp whit firewalls protections.

    the priority execution from cprsrvd and cppop , the unlimited conections accepted for this daemonds.. creates big security problems.
     
  11. kokoman

    kokoman Active Member

    Joined:
    Nov 28, 2002
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    BA, Argentina
    Your solution is a little bit limited... maybe is a great solution for a small hosting company but no for a hosting company having many users connected via NAT, from one single IP many users could not use the mail service provided by someone filtering as you describe in your last msg.
     
  12. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    pop3

    for this case ( i have clients whit this kind of issues) i set the sources ip whit a new limit conections to the destiny port.
    this kind of solutions required more ux administration but is a good solutions for DDoS attacks over freebsd ( ipfw permitt that ).
     
  13. kokoman

    kokoman Active Member

    Joined:
    Nov 28, 2002
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    BA, Argentina
    What about xDSL users with dynamic IP?
     
  14. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    i dont say one ip unfiltered only ...
    you can filter for CDIR example
    if you have a lot of clients from one isp 66.90.x.x , just allow the cdir 66.90.0.0/16
    or more specific 66.90.66.0/24 allowing 255 ips
    :)
     
  15. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    Using latest current cpanel. cppop on a server keeps getting attacked, over 3000 cppop processes running. I block the ip, but he just gets a differnet one later and does the same.

    Both are enabled.


    I'm using apf as a firewall. Can any one provide a rule to limit the number of simutaenious connections that can be made to port 110 and port 995 to 20 connections.
     
  16. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    Here are my guesses. I will try them and see if it works.

    # limit number of connections to 110 to 20 per host
    iptables -A INPUT -p tcp --dport 110 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

    # limit number of connections to 995 to 20 per host
    iptables -A INPUT -p tcp --dport 995 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset




    Edit: That isn't going to work using redhat kernel.

    iptables -A INPUT -p tcp --dport 110 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
    iptables v1.2.8: Couldn't load match `connlimit':/lib/iptables/libipt_connlimit.so: cannot open shared object file: No such file or directory
     
    #16 nat, Oct 3, 2006
    Last edited: Oct 3, 2006
  17. rochen

    rochen Active Member
    PartnerNOC

    Joined:
    Mar 5, 2002
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    We have had problems with cppop being attacked on a couple of our servers over the past day or so. We ended up taking cppop offline for a few hours until the attacks past.
     
  18. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    I installed a new firewall called csf. csf's included brute force monitor called lfd blocks these attacks automatically. The log shows I have had two more attacks and they were both blocked automatically using csf.


    1. You will need to convert the mailboxes to maildir.

    /scripts/convert2maildir


    2. Install csf.

    cd
    rm -fv csf.tgz
    wget http://www.configserver.com/free/csf.tgz
    tar -xzf csf.tgz
    cd csf
    sh install.sh

    # Install instructions: http://www.configserver.com/free/csf/install.txt
    # CSF Release Announcement Thread: http://forums.cpanel.net/showthread.php?t=53511


    3. Configure csf and lfd.

    Login to WebHost Manager and click "ConfigServer Security & Firewall" under Add-ons.

    Configure it to your liking.

    Click "Firewall Configuration" and set TESTING to 0 once you are sure the firewall is configured and working.

    Restart csf and lfd using the ConfigServer Security & Firewall page in WebHost Manager.
     
    #18 nat, Oct 4, 2006
    Last edited: Oct 4, 2006
  19. Arsenico

    Arsenico Member

    Joined:
    Apr 27, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    USING IPFW FIREWALL:
    ipfw add allow tcp from any to any dst-port 110 in limit dst-addr <limit>

    where limit is the number of connections / IP.


    i think there are anothers rules for IPTABLES, but i never use it. (i use FREEBSD)
     
  20. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    That does not solve the problem.

    The limitation has to be on client/email level.

    Each e-mail can check it's e-mail every XX per hour

    That would actually work a lot better and cut down any problems.
     
Loading...

Share This Page