LinuxQuestions.org - problem with ubuntu server firewall

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - problem with ubuntu server firewall (https://www.linuxquestions.org/questions/linux-software-2/problem-with-ubuntu-server-firewall-810017/)

problem with ubuntu server firewall

Hi

i have installed ubuntu server 9.10

I have the following things on my server

MY SQL
Apache
SQUID
Postfix
Dovecot
fetchmail
clamav antivirus

All the services are working great and no probs

I use the machine for internet routing and personal mail server which connets and collects my mail from isp server.

but today when i was browsing it went very slow almost dead, and when i checked i found 2 many connection (netstat) on smtp and 3128 port.

Kindly let me know how to stop all this, i have also activated the linux firewall but nothing is working. And my bandwidth is going for a toss

in case u require my conf file to posted pls let me know which one you wish to look at to solve this issue

How many connections do you have to your box via SMTP? What's the load? Do you have your MTA configured as an open relay? I'm guessing you don't because you're using postfix. Can you post your main.cf without comments here?

Regards,

Alunduil

here is the output that you wanted of the postfox main.cf file

Quote:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = minfolin
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.com, minfolin.minfo-server, localhost.minfo-server, localhost
relayhost = mail.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtp_helo_name = mydomain.com
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mydomain.com
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

I have changed the actual domain to mydomain.com

The no of connection from my place to post fix is jut 4 mail box and 2 mail box to other isp.

the 4 mail box are configured using fetchmail which pulls and delivers the email.

The connections when i see on the netstat command is something like

Quote:

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 mydomain.com:3128 118-168-143-15.dyn:4556 SYN_RECV
tcp 0 0 mydomain.com:3128 118-168-135-203.dy:1896 SYN_RECV
tcp 0 0 mydomain.com:3128 118-168-135-203.dy:2366 SYN_RECV
tcp 0 0 mydomain.com:3128 118-168-131-187.dy:1615 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-136-77.dyn:4853 ESTABLISHED
tcp 0 0 mydomain.com:59904 91.192.55.246:smtp ESTABLISHED
tcp 0 0 mydomain.com:60165 61-57-229-25.piine:smtp TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-141-183.dy:1455 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-143-148.dy:1936 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-140-57.dyn:3582 FIN_WAIT2
tcp 0 0 mydomain.com:43068 unassigned.calpop.:smtp ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-140-57.dyn:3134 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-131-187.dy:2936 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-143-190.dy:3532 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-140-57.dyn:3134 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-131-187.dy:2936 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-143-190.dy:3532 ESTABLISHED
tcp 0 0 mydomain.com:3128 118-168-140-78.dyn:4800 TIME_WAIT
tcp 0 0 mydomain.com:3128 118-168-143-190.dy:3633 ESTABLISHED
tcp 0 1 mydomain.com:3128 118-168-129-76.dyn:1210 LAST_ACK
tcp 0 1 mydomain.com:56738 ms65a.hinet.net:smtp SYN_SENT
tcp 0 0 mydomain.com:3128 118-168-135-203.dy:3012 ESTABLISHED

Why do you have the myhostname set to a shortname? If I'm not mistaken postfix wants a FQDN for hostname. Also, are you familiar with the machines making connections? Try running this:

Code:

netstat -nat | grep <myip>:25 | gawk '{print $5}' | cut -d : -f 1 | sort | uniq -c | sort -n

Regards,

Alunduil

hi

I am not familar with machines making connections, if you can pls provide me more info on the same.

I have kept the hostname short and not used FQDN is because if i am using the FQDN postfix stops delivering the emails and fails. with msg 421 so after a lot of experiment this was setup and it started working

the above code given by u is not working because i dont think i have gawk installed, do u want me to install the same.

Yes, if you can run that command then we can find out who is using your mail server and see if they are using you as a spam relay or just being mean and connecting to you quite a bit.

If you add your FQDN to the /etc/hosts file does postfix work with it at that point?

Regards,

Alunduil

yes in my /etc/hosts file i have my FQDN and postfix is working fine.

In the mean time what i did was changed the port of SQUID from 3128 to a diff port now all the attacks are gone for the past 24hrs its fine and there seems to be no issue, i guess the problem would have been that my user might be using torrent which i have now banned.

And now the bandwidth is normal. Should i continue and wait if there is any problem or issue

Did you have squid accessible from the outside? If so then yes, I imagine that was the cause of your bandwidth woes. Otherwise, it may have been the torrents. To find out I would use a tool like iptraf or nettop.

Regards,

Alunduil

i guess yes while i was working on the ip tables and the security i had allowed port 3128 to the outside worls in the sense is incoming which i have now closed.

I have even banned the torrents now so that the network is not disturbed due to all this.

I would like to thank you for the help that you have extended.