LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 05-25-2010, 10:28 AM   #1
ganfun
Member
 
Registered: Apr 2010
Location: Mumbai, India
Distribution: Ubuntu Server 9.10
Posts: 38

Rep: Reputation: 15
Unhappy problem with ubuntu server firewall


Hi

i have installed ubuntu server 9.10

I have the following things on my server

MY SQL
Apache
SQUID
Postfix
Dovecot
fetchmail
clamav antivirus

All the services are working great and no probs

I use the machine for internet routing and personal mail server which connets and collects my mail from isp server.

but today when i was browsing it went very slow almost dead, and when i checked i found 2 many connection (netstat) on smtp and 3128 port.

Kindly let me know how to stop all this, i have also activated the linux firewall but nothing is working. And my bandwidth is going for a toss

in case u require my conf file to posted pls let me know which one you wish to look at to solve this issue
 
Old 05-25-2010, 10:34 AM   #2
alunduil
Member
 
Registered: Feb 2005
Location: San Antonio, TX
Distribution: Gentoo
Posts: 684

Rep: Reputation: 62
How many connections do you have to your box via SMTP? What's the load? Do you have your MTA configured as an open relay? I'm guessing you don't because you're using postfix. Can you post your main.cf without comments here?

Regards,

Alunduil
 
Old 05-25-2010, 10:34 AM   #3
alunduil
Member
 
Registered: Feb 2005
Location: San Antonio, TX
Distribution: Gentoo
Posts: 684

Rep: Reputation: 62
How many connections do you have to your box via SMTP? What's the load? Do you have your MTA configured as an open relay? I'm guessing you don't because you're using postfix. Can you post your main.cf without comments here?

Regards,

Alunduil
 
Old 05-26-2010, 12:56 AM   #4
ganfun
Member
 
Registered: Apr 2010
Location: Mumbai, India
Distribution: Ubuntu Server 9.10
Posts: 38

Original Poster
Rep: Reputation: 15
here is the output that you wanted of the postfox main.cf file

Quote:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = minfolin
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.com, minfolin.minfo-server, localhost.minfo-server, localhost
relayhost = mail.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtp_helo_name = mydomain.com
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mydomain.com
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
I have changed the actual domain to mydomain.com

The no of connection from my place to post fix is jut 4 mail box and 2 mail box to other isp.

the 4 mail box are configured using fetchmail which pulls and delivers the email.

The connections when i see on the netstat command is something like

Quote:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 mydomain.com:3128 118-168-143-15.dyn:4556 SYN_RECV
tcp 0 0 mydomain.com:3128 118-168-135-203.dy:1896 SYN_RECV
tcp 0 0 mydomain.com:3128 118-168-135-203.dy:2366 SYN_RECV
tcp 0 0 mydomain.com:3128 118-168-131-187.dy:1615 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-136-77.dyn:4853 ESTABLISHED
tcp 0 0 mydomain.com:59904 91.192.55.246:smtp ESTABLISHED
tcp 0 0 mydomain.com:60165 61-57-229-25.piine:smtp TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-141-183.dy:1455 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-143-148.dy:1936 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-140-57.dyn:3582 FIN_WAIT2
tcp 0 0 mydomain.com:43068 unassigned.calpop.:smtp ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-140-57.dyn:3134 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-131-187.dy:2936 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-143-190.dy:3532 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-140-57.dyn:3134 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-131-187.dy:2936 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-143-190.dy:3532 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-140-78.dyn:4800 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-143-190.dy:3633 ESTABLISHED
tcp 0 1 mydomain.com:3128 118-168-129-76.dyn:1210 LAST_ACK
tcp 0 1 mydomain.com:56738 ms65a.hinet.net:smtp SYN_SENT
tcp 0 0 mydomain.com:3128 118-168-135-203.dy:3012 ESTABLISHED
 
Old 05-26-2010, 08:56 AM   #5
alunduil
Member
 
Registered: Feb 2005
Location: San Antonio, TX
Distribution: Gentoo
Posts: 684

Rep: Reputation: 62
Why do you have the myhostname set to a shortname? If I'm not mistaken postfix wants a FQDN for hostname. Also, are you familiar with the machines making connections? Try running this:

Code:
netstat -nat | grep <myip>:25 | gawk '{print $5}' | cut -d : -f 1 | sort | uniq -c | sort -n
Regards,

Alunduil
 
Old 05-26-2010, 10:47 AM   #6
ganfun
Member
 
Registered: Apr 2010
Location: Mumbai, India
Distribution: Ubuntu Server 9.10
Posts: 38

Original Poster
Rep: Reputation: 15
hi

I am not familar with machines making connections, if you can pls provide me more info on the same.

I have kept the hostname short and not used FQDN is because if i am using the FQDN postfix stops delivering the emails and fails. with msg 421 so after a lot of experiment this was setup and it started working

the above code given by u is not working because i dont think i have gawk installed, do u want me to install the same.
 
Old 05-26-2010, 01:09 PM   #7
alunduil
Member
 
Registered: Feb 2005
Location: San Antonio, TX
Distribution: Gentoo
Posts: 684

Rep: Reputation: 62
Yes, if you can run that command then we can find out who is using your mail server and see if they are using you as a spam relay or just being mean and connecting to you quite a bit.

If you add your FQDN to the /etc/hosts file does postfix work with it at that point?

Regards,

Alunduil
 
Old 05-27-2010, 12:03 AM   #8
ganfun
Member
 
Registered: Apr 2010
Location: Mumbai, India
Distribution: Ubuntu Server 9.10
Posts: 38

Original Poster
Rep: Reputation: 15
yes in my /etc/hosts file i have my FQDN and postfix is working fine.

In the mean time what i did was changed the port of SQUID from 3128 to a diff port now all the attacks are gone for the past 24hrs its fine and there seems to be no issue, i guess the problem would have been that my user might be using torrent which i have now banned.

And now the bandwidth is normal. Should i continue and wait if there is any problem or issue
 
Old 05-27-2010, 08:46 AM   #9
alunduil
Member
 
Registered: Feb 2005
Location: San Antonio, TX
Distribution: Gentoo
Posts: 684

Rep: Reputation: 62
Did you have squid accessible from the outside? If so then yes, I imagine that was the cause of your bandwidth woes. Otherwise, it may have been the torrents. To find out I would use a tool like iptraf or nettop.

Regards,

Alunduil
 
1 members found this post helpful.
Old 05-27-2010, 11:24 PM   #10
ganfun
Member
 
Registered: Apr 2010
Location: Mumbai, India
Distribution: Ubuntu Server 9.10
Posts: 38

Original Poster
Rep: Reputation: 15
i guess yes while i was working on the ip tables and the security i had allowed port 3128 to the outside worls in the sense is incoming which i have now closed.

I have even banned the torrents now so that the network is not disturbed due to all this.

I would like to thank you for the help that you have extended.
 
  


Reply

Tags
attack, firewall, hack, smtp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Updating Ubuntu 9.04 server fom behind a ISA firewall Mark_667 Ubuntu 0 08-20-2009 10:13 AM
ubuntu desktop firewall squid clamav server, need to add havp robcormack Ubuntu 1 09-04-2008 10:13 PM
LXer: Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment LXer Syndicated Linux News 0 11-26-2006 09:54 AM
Suse 10.0 firewall and ftp server problem maximvs Linux - Networking 2 12-15-2005 02:11 AM
firewall problem with x server dive Slackware 5 08-17-2005 12:40 PM


All times are GMT -5. The time now is 11:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration