Mailserver ideas?

system · November 8, 2005, 2:47am

Anyone familiar with sendmail? Sunday I updated the /etc/mail/access to allow users from a new IP block to relay mail thru the mailserver.
This morning I noticed noone can send new mail, and no errors are being generated. Checked the log and someone had a bx over 2.4 Gigs, and doing a ps -aux discovered they were sending millions of mails.
Killed them, but I still can’t send a mail to myself or anyone on the machine!
Did I get hacked???

system · November 8, 2005, 5:04am

[quote=“herbie_popnecker”]Anyone familiar with sendmail? Sunday I updated the /etc/mail/access to allow users from a new IP block to relay mail thru the mailserver.
This morning I noticed noone can send new mail, and no errors are being generated. Checked the log and someone had a bx over 2.4 Gigs, and doing a ps -aux discovered they were sending millions of mails.
Killed them, but I still can’t send a mail to myself or anyone on the machine!
Did I get hacked???[/quote]

check your mail queue, is it full of messages? I wouldnt say you got hacked but someone is flooding your mail server. Did you allow the entire ip block to relay? or do they have to authenticate?

system · November 8, 2005, 6:33am

I inherited a setup where you don’t have to log on to send, but only certain domains & IP blocks are allowed. Stopped the flood, but mail sent to yourself goes nowhere and /var/spool/mail name_of_recipient stgays at 0 bytes…
You can send to another domain, but not to the server domain so I dunno if the problem is with relaying at all.
as for allow IPs, yes I allowed the whole class C…
xxx.xxx.xxx
i don’t know how to restrict to a range. I’d like to restrict to IPs 1 to 64 on one, 194 to 250 on another, etc.

system · November 9, 2005, 1:57am

[quote=“herbie_popnecker”]I inherited a setup where you don’t have to log on to send, but only certain domains & IP blocks are allowed. Stopped the flood, but mail sent to yourself goes nowhere and /var/spool/mail name_of_recipient stgays at 0 bytes…
You can send to another domain, but not to the server domain so I dunno if the problem is with relaying at all.
as for allow IPs, yes I allowed the whole class C…
xxx.xxx.xxx
i don’t know how to restrict to a range. I’d like to restrict to IPs 1 to 64 on one, 194 to 250 on another, etc.[/quote]

Which version of sendmail? I believe sendmail’s access can be setup for CIDR blocks.

So:

192.168.1.0/26 would do 1-64

194 to 250 is not a proper cidr boundry so the closest you could do is:

192.168.1.192/26

No errors in the mail log at all? No bounce messages from sendmail when you try to send mail to yourself?

system · November 9, 2005, 3:45am

Yeah I found entries in the log/secure…
Somehow the hosts.allow was set blank, and allowed open ssh access. Someone from an IP at USC found a user with an easily guessable password (simple name, name as passwd!) and r00ted us.
We’ve given up trying to fix it, because the executable has to be in one of the services code, and we’re gonna move the users over to our better server (we were planning to do this later in the week). Once I move the RADIUS from the box we’ll do an autopsy. Made sure the new server’s locked up tighter than a …

EDIT: never found an installation that allowed open access by default! the hosts.deny was blank instead of ALL:ALL