Teddys iptables

Teddy Mills teddymills-VFlxZYho3OA at public.gmane.org
Sat Nov 22 19:33:39 UTC 2003 


Trust me Keith and Kevin, when I say I was not an openrelay, it is a fact.

The fact that I know how to stop it is more important than knowing why I
couldnt stop it.

You might not agree with this statement, but I believe it to be true. Its
like you goto the doctor
and say, doc I got this disease, and he/she says well its terminal. iptables
stops it, but I dont
know why it stops it.   the doc has just bought all the time he/she needs to
investigate the why.

I had very knowledable qmail admins guiding me to verify every setting and
do various tests.
I was not an openrelay.

I spent 2 weeks on qmail every day, checking every line of the installation
out, line by line.
Every permission, every location of every file. System Security holes etc.
Changed all passwords etc. I checked everything 100 times over.  The qmail
system is
burned into my brain. rcpthosts  as well as 1000 other things where checked
dozens of times.

Then after enabling qmail, anywhere from 5 minutes to a day later it would
start to send hundreds of
email a minute from anywhere to anywhere.

I stopped qmail and all its processes and rm'd the entire qmail queue tree
and rebuild them.
Started up and wait for it to happen again...

qmailctl stat
ps ax |grep mail
lsof -i |grep smtp, was interesting, it always had a tcp connection to a
specific IP in Asian.
( Thats when I started closing in on him/her/them)
then i started tcpdump tracing of all packets and just smtp packets...


Nothing worked until I started adding iptables rules.


My guess it was

1. something like a spoofed ip command to qmail.
2. a wrong file permission somewhere, or access right, either in apache,
virtualhosting, cgi-bins, dns, etc.
3. But where ever the problem was, it sure is is not a misconfigured qmail
or qmail tool.


Heres the stripped log...

218.70.8.186::3292
tcpserver: pid 2230 from 218.70.8.186
tcpserver: ok 2230 x.x.x.x 218.70.8.186::3462







----- Original Message -----
From: "Kevin Cozens" <kcozens-qazKcTl6WRFWk0Htik3J/w at public.gmane.org>
To: <tlug-lxSQFCZeNF4 at public.gmane.org>
Sent: Saturday, November 22, 2003 1:44 PM
Subject: Re: [TLUG]: Teddys iptables firewall script needs tweaking


> At 03:06 AM 11/22/2003 -0500, teddy mills wrote:
> >I was not an openrelay, but somehow someone from Asia found a way to use
my
> >qmail as an openrelay
> >teddy mills
>
> If someone was able to use your machine as an open mail relay and you are
> using Qmail, there is something very wrong with the configuration of your
> Qmail system. While it is a good thing to review your firewall settings,
> that is not the way to stop people from using your machine to relay mail.
> You need to look at how your Qmail is configured.
>
> The likely reason for Qmail acting as an open relay is you do not have an
> rcpthosts file in your /etc/qmail/control directory (or it may be under
> /var instead of /etc depending on how Qmail was installed).
>
> The rcpthosts file should contain a series of lines with one domain name
on
> each line. The lines in this file are the list of domains for which Qmail
> will accept mail. IIRC, without this file, Qmail will accept mail for all
> domains. If the file is 0 bytes long, it will refuse mail regardless of
the
> domain in the To: lines.
>
> There is usually a config and config-fast program in /var/qmail/bin which
> should be run when Qmail is first installed to set up the basic
> configuration files needed by Qmail.
>
>
> Cheers!
>
> Kevin.  (http://www.interlog.com/~kcozens/)
>
> Owner of Elecraft K2 #2172        |"What are we going to do today, Borg?"
> E-mail:kcozens at interlog dot com|"Same thing we always do, Pinkutus:
> Packet:ve3syb-XXPEJ3/fxIc at public.gmane.org#con.on.ca.na|  Try to assimilate the world!"
> #include <disclaimer/favourite>   |              -Pinkutus & the Borg
>
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>
>

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list