Topic: Too many connections: 40 >= 40. Waiting one second.

[ltc6netspec]

I have major issues with server slow down. Ram & Swap file Max out.

Using both RBL & SBL list

Made change to both Concurrencies to 30

I have 1400 USERS

Thanks for the help

This is the QPSMTPD log

dnsbl plugin: RBLSMTPD not set for 64.127.111.189
2006-08-16 20:30:40.138939500 3932 trying to get config for dnsbl_allow
2006-08-16 20:30:40.160984500 3932 trying to get config for dnsbl_zones
2006-08-16 20:30:40.162870500 3932 dnsbl plugin: Checking 189.111.127.64.dnsbl.sorbs.net for TXT record in the background
2006-08-16 20:30:40.306959500 3932 dnsbl plugin: Checking 189.111.127.64.bl.spamcop.net for TXT record in the background
2006-08-16 20:30:40.308956500 3932 dnsbl plugin: Checking 189.111.127.64.relays.ordb.org for TXT record in the background
2006-08-16 20:30:40.310871500 3932 dnsbl plugin: Checking 189.111.127.64.dnsbl.njabl.org for TXT record in the background
2006-08-16 20:30:40.312895500 3932 dnsbl plugin: Checking 189.111.127.64.whois.rfc-ignorant.org for TXT record in the background
2006-08-16 20:30:40.314887500 3932 dnsbl plugin: Checking 189.111.127.64.sbl-xbl.spamhaus.org for TXT record in the background
2006-08-16 20:30:40.317263500 3932 Plugin dnsbl, hook connect returned DECLINED,
2006-08-16 20:30:40.317551500 3932 trying to get config for smtpgreeting
2006-08-16 20:30:40.318101500 3932 220 roe20.roe20.k12.il.us ESMTP
2006-08-16 20:30:40.318477500 3932 trying to get config for timeoutsmtpd
2006-08-16 20:30:40.318790500 3932 trying to get config for timeout
2006-08-16 20:30:40.811928500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:45.598017500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:45.598019500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:45.598020500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:45.598022500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:45.834926500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:46.839732500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:47.842528500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:48.845581500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:49.848094500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:50.849905500 3747 Too many connections: 40 >= 40.  Waiting one second.
2006-08-16 20:30:51.099546500 3871 Plugin check_goodrcptto, hook rcpt returned DECLINED,
2006-08-16 20:30:51.131040500 3871 running plugin (rcpt): rcpt_ok

[ltc6netspec]

I've been hacked.  Have to rebuild the server.  

Thanks for looking.

[byte]

I would contact security@contribs.org

[ltc6netspec]

I rebuilt the server with a very good password.


I'm being hit with alot of spam and either earlytalker or QPSMTPD can not handle above 40 connections that what the log above shows.  So how do I disable earlytalker or any other suggestions.


Thanks for answering.

[ltc6netspec]

Hi all,

Well, I am now at the point of denial of service.  I have pulled the plug and rebooted the machine, then plugged it back in.  The machine gets hammered again.

Help anyone, Thanks

[ltc6netspec]

Is SME 7 using a verison of IPLimit to try and prevent denial of service?  Is that why I'm seeing 40 == 40 in the qpsmtpd log?

[mmccarn]

I, too, am being hammered by useless connections to qpsmtpd.

I suspect I'm being attacked by some sort of reverse-tarpit denial of service attack - my system shows 227 connections to port 25, of which 71 are in state SYN_RECV, 143 are in state CLOSE_WAIT and only 13 are ESTABLISHED.

When this happened last week I added all of the actively connected hosts to the smtpd DenyHosts list and that seemed to take care of it... until this morning.

If I run "tcpdump -i eth1 port 25" all of the packets captured show 0 byte length.

Many of the remote hosts are listed in the RBL services that I have configured, but they are allowed to connect before the RBL check is performed, letting them eat up smtp connections despite being known spammers.

Does anyone know of a script that will automatically maintain the DenyHosts list, or of any other way to kill do-nothing connections once they are recognized?

[raem]

ltc6netspec

>...Is that why I'm seeing 40 == 40 in the qpsmtpd log?

config show smtpd

smtpd=service
    Authentication=disabled
    Instances=40
    InstancesPerIP=5
    MaximumDateOffset=0
    PatternsScan=disabled
    Proxy=enabled
    TCPPort=25
    TCPProxyPort=25
    VirusScan=disabled
    access=public
    status=enabled
    tnef2mime=enabled

Try changing the value in the config db
config setprop smtpd Instances xx
signal-event email-update

[raem]

ltc6netspec

> I rebuilt the server with a very good password.

I'd also be looking carefully at any web apps you have installed and upgrading them immediately, or you will probably get hacked again.
They are more likely to be the source of breakins.

[exocet]

how did you know you were hacked?

Today I also get

==> qpsmtpd/current <==
@4000000045b725621dd0ddac 3482 Too many connections: 40 >= 40.  Waiting one second.
@4000000045b725631dfb9b14 3482 Too many connections: 40 >= 40.  Waiting one second.

I saw there was a big (13Mb) mail from a network user coming thru, could this cause the problem also?

[mmccarn]

The system I had that was giving me the "40 >= 40" errors in October continued misbehaving until I disabled SBL *and* Spamassassin - probably because it only has 192MB RAM.