connection limitation problem with iptables

[l0ngb1t]

hey

i am facing a weird issue, i have a mail server on which i decided to limit the number of connections to port 25 using iptables by applying the following rule

Code: Select all

-A INPUT -p tcp -i eth0 --syn --dport 25 -m connlimit --connlimit-above 5 -j REJECT  

i was checking netstat output and i noticed that i have more than 60 connections in TIME_WAIT state from the same IP
any idea on how this might happen, and why the connections could end up in TIME_WAIT status, should i worry about a possible attack?

[bad_brain]

have a look at /var/log/mail.log to see what actually happened.
it's also not a good idea to try using the firewall for such issues, it's always better to do that in the service configuration directly. what mail service are you using? postfix or exim (hoping it's postfix because exim config is sucky)?
in postfix you have the smtpd_client_connection_count_limit and smtpd_client_connection_rate_limit directives for example.

in general such attempts are nothing unusual, but it's still good to block them (or at least slow them down), my experience has shown it leads to more and more attempts if you don't.

[l0ngb1t]

they are using exim...
i'll try to limit the connection from exim configuration. thanks for the advice B_B

[bad_brain]

been ages since I have used Exim, so I can't quickly whip out the needed config, but have a look at #37 here:
http://www.exim.org/exim-html-current/d ... lists.html" onclick="window.open(this.href);return false;

I also recommend to have a look at fail2ban which enables you to ban IP addresses based on logged incidents (like failed login attempts), it can be configured for pretty much every service:
http://www.fail2ban.org/" onclick="window.open(this.href);return false;

[l0ngb1t]

thanks B_B
i already did some search on how it's done and i will read you links also.
mean while i am more interested on how i ended up with all those TIME_WAIT connections even when i was not allowing more than 6 connections per ip.

i will read more about TCP connection status and post the result here.

[bad_brain]

well, notice the --syn switch, so this rule applies for sync requests to initiate a connection, this means I can do 5 such requests at the same time, at the 6th one the rule kicks in.
but a connection in TIME_WAIT status is actually no connection anymore, the socket is just in a "let's wait a bit, maybe more data is coming for this socket, then I'll use it again" state.

so I can establish 5 connections, drop them, make 5 new connections with SYN requests, drop them again, and voila: 10 times TIME_WAIT without triggering the iptables rule...the rule would only be triggered when 5 connections are still active.

[l0ngb1t]

thank you B_B.

this link helped also. http://dev.fyicenter.com/Interview-Ques ... tate_.html