cyrus 2.5 imap idle/stuck connections (DOS like)
Heiler Bemerguy
heiler.bemerguy at cinbesa.com.br
Thu Mar 7 10:11:01 EST 2019
Thank you very much, it worked perfectly.
Best Regards,
Heiler Bemerguy - CINBESA
Analista de Redes, Wi-Fi,
Virtualização e Serviços Internet
(55) 91 98151-4894
Em 07/03/2019 11:55, Ivan Kuznetsov escreveu:
> Hello
>
> iptables -A INPUT -p tcp --syn --dport 143 -m connlimit
> --connlimit-above 8 -j REJECT
>
> This will limit established imap connections to 8 per ip
>
>
> 07.03.2019 17:39, Heiler Bemerguy via Info-cyrus пишет:
>> Yes I've read imapd.conf and cyrus.conf and found no options to limit
>> connections per source IP or "idleness"..
>>
>> It means anyone can open a lot of connections to any port (143, 25,
>> 110 etc) and render the server unusable??
>>
>> I'm using Debian, so I'll try to figure out how to do that with
>> iptables.. Thanks!
>>
>>
>> Best Regards,
>>
>> Heiler Bensimon Bemerguy - CINBESA
>> Analista de Redes, Wi-Fi,
>> Virtualização e Serviços Internet
>> (55) 91 98151-4894
>>
>> Em 07/03/2019 11:25, Willem Offermans escreveu:
>>> Dear Cyrus friends and Heiler Bensimon Bemerguy,
>>>
>>> You could use your firewall to achieve this.
>>>
>>> For ipfw:
>>>
>>> ${fwcmd} add pass tcp from any to ${ip_me} imap setup limit src-addr 10
>>>
>>> You have to lookup the right syntax for your firewall.
>>>
>>> Dit you check man imapd or man cyrus, maybe there is also an option
>>> for the daemon itself, but I would prefer the firewall.
>>>
>>>
>>> Wiel Offermans
>>> Willem at Offermans.Rompen.nl <mailto:Willem at Offermans.Rompen.nl>
>>>
>>>
>>>
>>>
>>>> On 7 Mar 2019, at 14:53, Heiler Bemerguy via Info-cyrus
>>>> <info-cyrus at lists.andrew.cmu.edu
>>>> <mailto:info-cyrus at lists.andrew.cmu.edu>> wrote:
>>>>
>>>> Hail,
>>>>
>>>> I've noticed an user with ~200 open connections to cyrus imap port
>>>> (143) and, because of him, no one else could login to the server.
>>>>
>>>> I've noticed even with a single "telnet ip 143", the connection is
>>>> accepted and never ever dropped, even while still unauthenticated.
>>>>
>>>> How to stop that from happening?
>>>>
>>>> cyrus.conf:
>>>> imap cmd="imapd -U 30" listen="imap" prefork=6 maxchild=200
>>>>
>>>>
>>>> --
>>>> Atenciosamente,
>>>>
>>>> Heiler Bensimon Bemerguy - CINBESA
>>>> Analista de Redes, Wi-Fi,
>>>> Virtualização e Serviços Internet
>>>> (55) 91 98151-4894
>>>>
>>>> ----
>>>> Cyrus Home Page: http://www.cyrusimap.org/
>>>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>>>> To Unsubscribe:
>>>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>>>
>>
>>
>> ----
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>> To Unsubscribe:
>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>>
>
More information about the Info-cyrus
mailing list