Eric, We are running the standard set up with iptables (see config below). We also have in place a Cisco 800 Series Router. The firewall part is not really my thing, can you give me some pointers.
Cheers # Generated by iptables-save v1.3.5 on Tue Jun 29 01:43:23 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [6:1052] -A INPUT -i eth0 -f -j DROP -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -s 255.255.255.255 -i ! lo -j DROP -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP -A INPUT -s 221.240.0.102 -i ! lo -j DROP -A INPUT -s 203.215.94.193 -i ! lo -j DROP -A INPUT -s 218.71.137.68 -i ! lo -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 465 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 873 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 902 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Tue Jun 29 01:43:23 2010 -----Original Message----- From: Eric Shubert [mailto:e...@shubes.net] Sent: Thursday, 13 January 2011 9:55 AM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: Apache issues On 01/12/2011 03:16 PM, Mike Canty wrote: > To all, > > I have a server that is having some problems with some "apache" > services.The machine appears to have a runaway process that takes up > just over 20% of the CPU, but this is enough to stop all mail and to a > certain extent network as well. > > The problem for me is this machine is at a remote site. When this > process runs away, I cannot connect to the network remotely, to resolve > the issue, I need to get someone internally to log on to the server > itself and kill the process. > > When I say "Apache", that is the user listed against the process, so it > must be some form of web service.The command at fault is either "std" or > "s", although I have seen a "perl" command giving issues as well, but > not to the same effect. > > Does anyone have any idea what may be causing this?Or what I can do to > rectify? > > Cheers > > Mike Canty > From what you've said, it sounds a little like a DoS attack. It sounds as though the problem process is saturating the network. What sort of firewall, internal to QMT as well as external, is involved? -- -Eric 'shubes' ---------------------------------------------------------------------------- ----- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! ---------------------------------------------------------------------------- ----- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com