My guys, My firewall seems to block an attack my Centos / Sendmail boxes on port 110. These servers require a reboot after each attack. My firewall says it's blocked? Do I need to patch something on sendmail? Or is my firewall not doing its job (Sonicwall)? This is not the first time this has happened. 11/20/2008 02:53:04.864 - SYN flood attack dropped - 75.2.205.141, 48102 - 10.80.80.210, 110 11/20/2008 03:08:04.864 - SYN flood attack dropped - 75.2.205.141, 64955, greatcooks.biz - 10.80.80.220, 110 11/20/2008 03:23:08.864 - SYN flood attack dropped - 75.2.205.141, 43068, greatcooks.biz - 10.80.80.210, 110 Any input would be much appreciated. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20081120/7fa09310/attachment-0003.html>
Chris Heiner wrote on Thu, 20 Nov 2008 08:48:50 -0800:> My firewall seems to block an attack my Centos / Sendmail boxes on port 110.port 110 is your POP server, probably dovecot.> These servers require a reboot after each attack.Because of what?> My firewall says it's > blocked?I don't see this statement in your logs. How/where does it say this?> Do I need to patch something on sendmail? Or is my firewall not > doing its job (Sonicwall)? This is not the first time this has happened.SYN floods are not unusual, even if it is not an attack. What or if you want to do something depends on your situation. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Chris Heiner wrote:> > My guys, > > My firewall seems to block an attack my Centos / Sendmail boxes on > port 110. These servers require a reboot after each attack. My > firewall says it?s blocked? Do I need to patch something on sendmail? > Or is my firewall not doing its job (Sonicwall)? This is not the first > time this has happened. > > 11/20/2008 02:53:04.864 - SYN flood attack dropped - 75.2.205.141, > 48102 - 10.80.80.210, 110 > > 11/20/2008 03:08:04.864 - SYN flood attack dropped - 75.2.205.141, > 64955, greatcooks.biz - 10.80.80.220, 110 > > 11/20/2008 03:23:08.864 - SYN flood attack dropped - 75.2.205.141, > 43068, greatcooks.biz - 10.80.80.210, 110 > > Any input would be much appreciated. > > Thanks. >If these are to bogus email addresses, you might try letting sendmail itself throttle the attacks. Look into sendmail's BAD_RCPT_THROTTLE. This has done wonders for my systems. John Hinton