Hey Evert, attached the little bit adapted FwdPort (SOURCE: O'Reilly Perl Cookbook :-) 1) i tested it with PostFix an simply changed my /etx/postfix/master.cf to listen to port 20025 ... Please do so (or similar (in inetd.conf e.g)) ! 2) change the m/xyz/ to something appropriate to your problem. I suggest m/MAILER-DAEMON/ BUT THERE IS A LITTLE PIT-FALL: you'll never get "real" MAILER-DAEMON msgs any more - i think you can live with it .... 3) start the script (as root) with "fwd_port.pl -l >your-machine<:25 -r localhost:20025" Hope you to get "less" mail Kristofer
this sounds like a good idea.... gotta tell never done this before... if you'd like to help me, i would be deeply indepbted to you.
regards
-----Original Message----- From: K.Hoelzer [mailto:suse_infos@htm-technology.com] Sent: Saturday, November 02, 2002 11:53 AM To: suse-security@suse.com Subject: RE: [suse-security] DOS on sendmail daemon
CC:
Subject: Re: [suse-security] DOS on sendmail daemon X-Mailer: POP-eye V0.174 Reply-To: kh@htm-technology.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-MailScanner: Found to be clean X-RCPT-TO: Status: U X-UIDL: 334611336 Hi List,
i am having a security issue sort of, and was wondering if you know > any solutions to this. Someone is bombarding my server with mail, forcing sendmail to run the max allowed child processes and start to reject > requests to send mail. what techniques could i use to filter the traffic to > sendmail before it acctually hits the daemon, and therefor prevent the high > load > on it?
regards Evert Smit
Hello Evert,
what's about placing a port-forwarder between the incoming stuff (port > 25) an your smtpd. (inetd-config ...)
Within the script you can scan for "MAILER-DAEMON@" or some more > appropriate already during the login (HELO/EHLO .. RCPT TO a.s.o.) and simply/rough abort the connection if needed.
This should take less system-resources than childen the whole smtpd.
There are enough script-sceletons out there i think -- O'Reilly :-) If needed i can send you one ....
Regards
Kristofer Hoelzer
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here