Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 11 Jan 2003 15:09:30 +0100
From:      dirk.meyer@dinoex.sub.org (Dirk Meyer)
To:        freebsd-isp@FreeBSD.ORG, vishal@southernonline.net (Vishal Gandhi Kommineni)
Subject:   Re: Sendmail ignoring hosts.allow
Message-ID:  <wyUgjpNqgM@dmeyer.dinoex.sub.org>
References:  <3E1AA183.1060604@saudi.net.sa>
next in thread | previous in thread | raw e-mail | index | archive | help 
Rayed Al-Rashed wrote:

> Our mail server was under DOS attack, and I was trying to stop the new 
> connections using /etc/hosts.allow but I couldn't do it.
> The entry in /etc/hosts.allow:
>   sendmail : xx.xx.xx.xx : DENY
> and I even tried:
>   ALL : ALL : DENY
> but still doesn't work, I installed sendmail from the port, and I also 
> checked tcpwrapper support:

I checked myself and /etc/hosts.allow is checked after the connection
has been established:

$ telnet test 25
Connected to test.
Escape character is '^]'.
220 xxxxxxxxxxxxxxxxxx ESMTP Sendmail 8.12.6/8.12.5; Sat, 11 Jan 2003 13:29:01 +0100 (CET)
EHLO fqdn.com
550 5.0.0 Access denied
QUIT
221 2.0.0 xxxxxxxxxxxxxxxxxx closing connection
Connection closed by foreign host.

connect from a denied IP in /etc/hosts.allow
and see if you get "550 5.0.0 Access denied" too.

It keep sendmail not from forking, but
forking is relativly cheep on FreeBSD.

you might like to configur some limtes with:

confCONNECTION_RATE_THROTTLE ConnectionRateThrottle
                                        [undefined] The maximum number of
                                        connections permitted per second per
                                        daemon.  After this many connections
                                        are accepted, further connections
                                        will be delayed.  If not set or <= 0,
                                        there is no limit.

confREFUSE_LA           RefuseLA        [varies] Load average at which
                                        incoming SMTP connections are
                                        refused.  Default values is (12 *
                                        numproc) where numproc is the
                                        number of processors online (if
                                        that can be determined).

confDELAY_LA            DelayLA         [0] Load average at which sendmail
                                        will sleep for one second on most
                                        SMTP commands and before accepting
                                        connections.  0 means no limit.


kind regards Dirk

- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
- [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?wyUgjpNqgM>