Hi,
Sometimes a script kiddie tries to guess passwords on our mailserver
(Ubuntu 10.04.2 LTS, postfix, dovecot 1.2.9, scanners, the standard
stuff). That leads to a nagios message about the high number of
processes. The number goes above 500. Nagios threshold is set to 250,
which is more than enough for normal operation of this server. When are
these processes supposed to die again? They seem to stay at the high
count quite long.
Is there a way to limit the generation of extra login processes? Can I
tune the login_process... params a bit? I have then all on default.
dovecot - n below:
root at mail-dev:/etc/dovecot# dovecot -n
# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-32-server x86_64 Ubuntu 10.04.2 LTS
log_path: /var/log/dovecot/error.log
info_log_path: /var/log/dovecot/info.log
log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imap pop3 imaps pop3s
listen: *, [::]
ssl_cert_file: /disk/site/etc/ssl/hobby.nl/hobby.nl.crt
ssl_key_file: /disk/site/etc/ssl/hobby.nl/hobby.nl.key
ssl_cipher_list:
ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/lib/dovecot/imap-login
login_executable(imap): /usr/lib/dovecot/imap-login
login_executable(pop3): /usr/lib/dovecot/pop3-login
first_valid_uid: 200
mail_privileged_group: vmail
mail_location: maildir:~/Maildir
mmap_disable: yes
dotlock_use_excl: no
mail_nfs_storage: yes
mail_nfs_index: yes
mbox_write_locks: fcntl dotlock
mail_executable(default): /usr/lib/dovecot/imap-wrapper.sh
mail_executable(imap): /usr/lib/dovecot/imap-wrapper.sh
mail_executable(pop3): /usr/lib/dovecot/pop3-wrapper.sh
mail_plugins: convert autocreate
mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
imap_client_workarounds(default): outlook-idle delay-newmail
imap_client_workarounds(imap): outlook-idle delay-newmail
imap_client_workarounds(pop3):
pop3_client_workarounds(default):
pop3_client_workarounds(imap):
pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh
lda:
postmaster_address: postmaster
deliver_log_format: msgid=%m: %$
rejection_subject: Rejected: %s
rejection_reason: Your message to <%t> was automatically rejected:%n%r
auth_socket_path: /var/run/dovecot/auth-master
auth default:
mechanisms: plain login
realms: kader.hcc.nl hobby.nl
default_realm: kader.hcc.nl
cache_size: 1024
cache_ttl: 10
passdb:
driver: pam
args: failure_show_msg=yes cache_key=%u dovecot
passdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
userdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
socket:
type: listen
client:
path: /var/spool/postfix/private/dovecot-auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail
group: vmail
plugin:
convert_mail: mbox:/disk/mail/convert/%n
autocreate: Trash
autocreate2: Sent
autocreate3: Drafts
autocreate4: Spam
autosubscribe: Trash
autosubscribe2: Sent
autosubscribe3: Drafts
autosubscribe4: Spam
login_process defaults:
#login_user = dovecot
#login_process_size = 64
#login_process_per_connection = yes
#login_processes_count = 3
#login_max_processes_count = 128
#login_max_connections = 256
lsof -n output (part of long list):
dovecot-a 12941 root 17u unix 0xffff88012a457300 0t0
13606994 /var/run/dovecot/login/default
dovecot-a 12941 root 18u unix 0xffff8800272bd800 0t0
13565904 /var/run/dovecot/login/default
dovecot-a 12941 root 19u unix 0xffff8800a68a9800 0t0
13610586 /var/run/dovecot/login/default
TNX for any advise!
Egbert Jan HCC!Hobbynet, NL
On Tue, 2011-06-14 at 21:34 +0200, Egbert Jan van den Bussche wrote:> Hi, > > Sometimes a script kiddie tries to guess passwords on our mailserver > (Ubuntu 10.04.2 LTS, postfix, dovecot 1.2.9, scanners, the standard > stuff). That leads to a nagios message about the high number of > processes. The number goes above 500.What processes are they?> Nagios threshold is set to 250, > which is more than enough for normal operation of this server. When are > these processes supposed to die again? They seem to stay at the high > count quite long. > > Is there a way to limit the generation of extra login processes? Can I > tune the login_process... params a bit? I have then all on default.With defaults you shouldn't get more than 128 login processes, so I don't know why they would go to 500. http://wiki.dovecot.org/LoginProcess anyway may be helpful.