Re: [cobalt-users] Mailscanner for RAQ3/4 pkg available

[Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>]

On Thu, 18 Jul 2002, Webmaster : Beyond2K wrote:

> > uninstall mailscanner using the cobalt pkg uninstall routine and it will
> > automaically change syslog back to the original settings.
> >
> > I would be surprised if this however is what is causing the cpu problem.
>
> You are of course correct. Mailscanner is working fine - as is syslogd.
>
> The syslogd high CPU usage is being caused by ipchains blocking ports 137 and 138 and syslog writing an entry in /var/log/kernel
> everytime it rejects. This in itself is not causing the problem - just the frequency I think? Most my server have a kernel log of
> around 2 meg a day - this server managed 40 meg in 4 hours last night :/
>
> It seems someone's box at our host may be compromised as we are getting 10-20 rejections (input) written in the log every second
> (with ipchains on) from 1 IP. Unless there is a another explanation for accessing port 137/138?
>
> What's the best way of blocking this IP anyway? Have looked in the archives and done the following so far.
> 1) Ipchains does work but the syslogd CPU problem is a bit unbearable.
> 2) Portsentry (1.1-fr5 pkg version) is installed and running - no effect.
> 3) I've added the IP to hosts.deny and restarted inet - no effect.
> 4) /sbin/route add -host <ip-address> reject - no effect.
>

See if you can get your isp to block him at a router.
You can't stop him any other way, other than cutting the ethernet
cable.
BTW those ports are used for microsoft networking and samba

--
Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
http://frontstreetnetworks.com | Website Hosts & SOHO Networks
229 Front Street, Ste.#C, New Haven, CT. 06513 United States
voice +1 302-785-0699 | fax +1 203-785-1787