Dovecot running wild

Hi,

On my server I have usually about 100 running processes but since yesterday evening, I suddenly went to 220 processes. I checked through the Webmin console and it turns out that I have about 125 dovecot processes (pop3-login) running. Is is a server error ? An attack from outside ? And what should I do and check ?

Thanks for your pointers.

Status: 
Active

Comments

Howdy -- chances are you're seeing a DoS attack of some sort. My recommendation would be to look in /var/log/mail.log, and look for anything unusual in there -- perhaps a bunch of incoming connection attempts from a single IP address, or maybe a bunch of invalid logins.

Once you identify the source, you can then block that IP address.

Thank you for the quick response.

Indeed, I have a whole bunch of such line : Jul 13 21:00:28 serv02host dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=, method=PLAIN, rip=209.81.90.114, lip=XXXXXX

So, how can I block this 209.81.90.114 IP ?

The fastest way to do that would be activating the Linux firewall aka. iptables. The corresponding Webmin module in the Networking section can greatly help you doing that.

In the long run, there's automated scripts to block IP addresses which repeatedly fail login attempts, like "fail2ban" and "ConfigServer security&firewall".

http://www.fail2ban.org/wiki/index.php/Main_Page

http://www.configserver.com/cp/csf.html

I have started to look into iptables but the configuration is far from obvious, so I was considering using a tool such as FireWall Builder. To use it, I need to have the interface name of the firewall. I think it is "eth0" but how can I be sure ?

OK. i found it. it is in Network Configuration

A fast/temporary way to ban an IP address would be to reject the connection at the network level. You can do that using this command:

route add -host 209.81.90.114 reject

Remember that the above would go away when you reboot. But that's probably fine, it's most likely a bot that'll be moving on to some other server.

I managed to block the IP using iptable and creating a new rule. I am now installing fail2ban. In order to receive by email the ban notifications, I noticed that fail2ban was using sendmail, so I was planning to install sendmail as well but while installing I get the following warning :

The following extra packages will be installed: m4 sendmail-base sendmail-bin sendmail-cf sensible-mda Suggested packages: sendmail-doc rmail logcheck resolvconf The following packages will be REMOVED: postfix postfix-pcre

I am a little concerned about deleting the postfix packages. Is it normal or will it affect the way the mail server is running ? In other words, is it safe to go on and installing sendmail?

By the way, are the two applications you advised (fail2ban and ConfigServer security&firewall) are supposed to work together or should I pick one or the other ?

Yeah, I wouldn't recommend installing anything that requires removing Postfix.

I wouldn't recommend the Sendmail MTA, you'd want to continue using Postfix. I know that other folks in the community use Fail2ban along with Postfix.

Although Locutus mentioned fail2ban -- that really isn't our area of expertise here at Virtualmin. If you have questions on it, you may want to open up a forum thread, where he and other users of it may be able to help out :-)

Lastly, I'll offer that Postfix installs a binary named "sendmail" in "/usr/sbin/sendmail" for compatibility purposes -- so an application that uses "sendmail" may work just fine with the Postfix or Sendmail MTA's.

Another hint at this point (yes, Eric is completely right, Postfix is compatible with the sendmail style call to send out email): Trying out dangerous things like installing packages that potentially remove some that Virtualmin needs, or configuring a potentially network-blocking firewall, can easily be "disarmed" by trying them out in a virtual machine first.

I personally have Virtualmin installed in a production and experimental VM, and anything that I remotely consider potentially problematic I try out in the experimental environment first. :)

Thank you for your comments. I suspended the installation of Sendmail and I noticed this : on my server with Debian 6, it seems to work (I receive the mails sent by fail2an), but not on the Debian 5 server. In any case, it is not too important as long as it works for its basic function, that is blocking attacks.