jackie46

BANNED
Jul 25, 2005
537
0
166
Try limiting the number of connections that a ip can make to port 25. Our limit is 3 after that we deny it. Simple as that.
 

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
Hi, i have aproblem whit cppop daemon..
im constantly under DDoS attacks .. the server response very very well but
the server crash when botnets attacks the port 110 used by the cppop daemon
...in that moment
the cppop creates more than 1500 process and then the box crash.

i need limit the conections per ip to that port of limit the conecctions to cppop can handle in the same time..

this is possible¿

please help ..
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
For cppop, you can try enabling both:

WHM > Tweak Settings > Attempt to prevent pop3 connection floods
WHM > Tweak Settings > The number of times users are allowed to check their mail using pop3 per hour > set to 60

If that doesn't help, you'll have to look into iptables rules to rate limit connections to port 110, or speak to your NOC and have them try and stop the DOS on their routers.
 

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
thanx chirpy but...i have already set the flood pop3 protection and the limit 60 users..
but the attack consist in create conections to port whitout authorization .. so just open the port of the aplication. and this is a very very very bad bad problem.. because the cppop run out of control when is attacked an create a lot of process.
the problem was fixed anyway.
my NOC has an DDoS protection against bandwidht attacks but not against service based attacks ..whatever to resolve this case.. i just update the cppop to maildir boxs.. using the /convert2maildir script in the /scripts path.
is amazing the changes in the pop3 operative.
now when i recive an attack the cppop consume only 20 process for 3000 conections .. and the service not crash!!! works very nice.
now i just need do the same whit the cpsrvd .. <-- thats other dangerous service..
because creat a lot of process consuming all the CPU usage.
bye and thanks chirpy
 

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
:eek: :eek: :( :( :( damm .. maildir screw up my mail boxes..
now all the time refuse the conections whit
pr 10 21:05:38 omega pop3d: LOGIN, [email protected], ip=[::ffff:24.232.17.203]
Apr 10 21:05:38 omega pop3d: scancur opendir("cur"): No such file or directory
Apr 10 21:05:41 omega pop3d: chdir mail: No such file or directory
Apr 10 21:05:43 omega pop3d: chdir mail: No such file or directory
Apr 10 21:06:03 omega pop3d: LOGIN, [email protected], ip=[::ffff:24.232.17.203]
Apr 10 21:06:03 omega pop3d: scancur opendir("cur"): No such file or directory
Apr 10 21:06:05 omega pop3d: chdir mail: No such file or directory
Apr 10 21:06:07 omega pop3d: chdir mail: No such file or directory
Apr 10 21:09:18 omega pop3d: chdir mail: No such file or directory

i must reconvert to mbox again . and the dammit problems whit ddos attacks .. come back.
 

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
i have a problem whit the release version .. over Freebsd cpanel in the release version doesnt works.. all the control panels.. gives blank page.
:\
anyway i set rules to control the DDoS but .. i like the imap implementation
i hope in the future cpanel fix this issue for freebsd and all versions.
 

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
the problem whit courier imap /pop3

The problem whit the courier imap/pop3 pernsist but i find the way to limit the cppop active proccess and manage and secure all the cpanel problems caused for DDoS and /DoS problems.

IPSecure NetWork use firewalls and filters but is not enogh so whit freebsd and ipfw i can limit all the sources ips for destiny ports.
an example: i only allow 4 conections per ip to the port 110 .. whit this configuration i can control all the cppop floods attacks and the same against cprsrvd .

kiddies attackme whit more than 5 k botnets and the server only got 3.0 load average.
amazing ha? the firewalls and a good security configurations is the best.

i hope cpanel fix this problems for users whit not posibilities tohave an isp whit firewalls protections.

the priority execution from cprsrvd and cppop , the unlimited conections accepted for this daemonds.. creates big security problems.
 

kokoman

Active Member
Nov 28, 2002
27
0
151
BA, Argentina
Your solution is a little bit limited... maybe is a great solution for a small hosting company but no for a hosting company having many users connected via NAT, from one single IP many users could not use the mail service provided by someone filtering as you describe in your last msg.
 

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
pop3

for this case ( i have clients whit this kind of issues) i set the sources ip whit a new limit conections to the destiny port.
this kind of solutions required more ux administration but is a good solutions for DDoS attacks over freebsd ( ipfw permitt that ).
 

kokoman

Active Member
Nov 28, 2002
27
0
151
BA, Argentina
west-domains said:
for this case ( i have clients whit this kind of issues) i set the sources ip whit a new limit conections to the destiny port.
this kind of solutions required more ux administration but is a good solutions for DDoS attacks over freebsd ( ipfw permitt that ).
What about xDSL users with dynamic IP?
 

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
i dont say one ip unfiltered only ...
you can filter for CDIR example
if you have a lot of clients from one isp 66.90.x.x , just allow the cdir 66.90.0.0/16
or more specific 66.90.66.0/24 allowing 255 ips
:)
 

nat

Well-Known Member
Jan 16, 2003
210
0
166
Using latest current cpanel. cppop on a server keeps getting attacked, over 3000 cppop processes running. I block the ip, but he just gets a differnet one later and does the same.

chirpy said:
For cppop, you can try enabling both:

WHM > Tweak Settings > Attempt to prevent pop3 connection floods
WHM > Tweak Settings > The number of times users are allowed to check their mail using pop3 per hour > set to 60
Both are enabled.


chirpy said:
If that doesn't help, you'll have to look into iptables rules to rate limit connections to port 110.
I'm using apf as a firewall. Can any one provide a rule to limit the number of simutaenious connections that can be made to port 110 and port 995 to 20 connections.
 

nat

Well-Known Member
Jan 16, 2003
210
0
166
Here are my guesses. I will try them and see if it works.

# limit number of connections to 110 to 20 per host
iptables -A INPUT -p tcp --dport 110 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

# limit number of connections to 995 to 20 per host
iptables -A INPUT -p tcp --dport 995 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset




Edit: That isn't going to work using redhat kernel.

iptables -A INPUT -p tcp --dport 110 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
iptables v1.2.8: Couldn't load match `connlimit':/lib/iptables/libipt_connlimit.so: cannot open shared object file: No such file or directory
 
Last edited:

rochen

Active Member
PartnerNOC
Mar 5, 2002
33
0
306
We have had problems with cppop being attacked on a couple of our servers over the past day or so. We ended up taking cppop offline for a few hours until the attacks past.
 

nat

Well-Known Member
Jan 16, 2003
210
0
166
I installed a new firewall called csf. csf's included brute force monitor called lfd blocks these attacks automatically. The log shows I have had two more attacks and they were both blocked automatically using csf.


1. You will need to convert the mailboxes to maildir.

/scripts/convert2maildir


2. Install csf.

cd
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Install instructions: http://www.configserver.com/free/csf/install.txt
# CSF Release Announcement Thread: http://forums.cpanel.net/showthread.php?t=53511


3. Configure csf and lfd.

Login to WebHost Manager and click "ConfigServer Security & Firewall" under Add-ons.

Configure it to your liking.

Click "Firewall Configuration" and set TESTING to 0 once you are sure the firewall is configured and working.

Restart csf and lfd using the ConfigServer Security & Firewall page in WebHost Manager.
 
Last edited:

Arsenico

Member
Apr 27, 2006
24
0
151
USING IPFW FIREWALL:
ipfw add allow tcp from any to any dst-port 110 in limit dst-addr <limit>

where limit is the number of connections / IP.


i think there are anothers rules for IPTABLES, but i never use it. (i use FREEBSD)
 

budway

Well-Known Member
Apr 16, 2003
189
0
166
That does not solve the problem.

The limitation has to be on client/email level.

Each e-mail can check it's e-mail every XX per hour

That would actually work a lot better and cut down any problems.