[GLLUG] Sendmail DoS Question
Tim Woodall
t at woodall.me.uk
Thu Oct 25 20:26:34 UTC 2018
On Wed, 24 Oct 2018, Ken Smith via GLLUG wrote:
> Hi All
>
> I've been noticing what looks like an attempt at a DoS on my mail server.
> Various hosts open sets of SSL sessions to port 465 and then sit there not
> exchanging any traffic. The server is set to allow 20 sendmail processes and
> the miscreant gets that number of session going effectively DoSing the
> service. Easily remedied by killing it all and restarting the daemon. I've
> adjusted sendmail's timeouts to drop these malicious sessions.
>
> The session processes get stuck looking like this in ps.
>
> sendmail: server [178.128.158.113] startup
>
> I've also set a connection limit to port 465 in iptables to reject these
> multiple sessions that appear to originate in batches from the same IP and
> then from another IP and so on.
>
> Anyone else seeing this and out of interest what mode is sendmail in when its
> shows "startup". I've tried manually connecting and sending e-mail either in
> plain text or via ssl and don't see that status.
>
> Thanks
>
> Ken
>
I'm seeing similar - although it doesn't seem to be causing me any
issues other than rather large logs.
Just added another /24 to my evil.cidr list.
Tim.
>
>
>
>
More information about the GLLUG
mailing list