concurrency rate limit

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

concurrency rate limit

lists@lazygranch.com
I'm wondering if I have my rate limiting set up correctly. Note I have
that perl script that sniffs out dynamic IP addresses, so I am not sure
how this user is even getting concurrent connections.

From the main.cf:
smtpd_client_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
  reject_unknown_reverse_client_hostname,
  check_client_access hash:/etc/postfix/spamsources
smtpd_sender_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  reject_unknown_address,
  check_sender_access hash:/etc/postfix/spamsources
smtpd_relay_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  check_policy_service unix:private/policy
#lines added after hacker attack
smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 6
smtpd_client_connection_rate_limit = 3
smtpd_client_auth_rate_limit = 20
smtpd_client_connection_count_limit = 3
smtpd_client_new_tls_session_rate_limit = 3
smtpd_client_recipient_rate_limit = 40
smtpd_recipient_limit = 20


From the maillog:
Jan 10 08:39:32 mydomain postfix/smtpd[29789]: connect from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29789]: warning: Connection concurrency limit exceeded: 4 from unknown[121.238.5.110] for service smtp
Jan 10 08:39:32 mydomain postfix/smtpd[29789]: disconnect from unknown[121.238.5.110] commands=0/0
Jan 10 08:39:32 mydomain postfix/smtpd[29783]: warning: hostname 110.5.238.121.broad.nt.js.dynamic.163data.com.cn does not resolve to address 121.238.5.110: Name or service not known
Jan 10 08:39:32 mydomain postfix/smtpd[29783]: connect from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29783]: warning: Connection concurrency limit exceeded: 4 from unknown[121.238.5.110] for service smtp
Jan 10 08:39:32 mydomain postfix/smtpd[29783]: disconnect from unknown[121.238.5.110] commands=0/0
Jan 10 08:39:32 mydomain postfix/smtpd[29786]: lost connection after AUTH from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29786]: disconnect from unknown[121.238.5.110] ehlo=1 auth=0/1 commands=1/2
Jan 10 08:39:32 mydomain postfix/smtpd[29790]: warning: hostname 110.5.238.121.broad.nt.js.dynamic.163data.com.cn does not resolve to address 121.238.5.110: Name or service not known
Jan 10 08:39:32 mydomain postfix/smtpd[29790]: connect from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29790]: warning: Connection rate limit exceeded: 10 from unknown[121.238.5.110] for service smtp
Jan 10 08:39:32 mydomain postfix/smtpd[29790]: disconnect from unknown[121.238.5.110] commands=0/0
Jan 10 08:39:32 mydomain postfix/smtpd[29785]: warning: hostname 110.5.238.121.broad.nt.js.dynamic.163data.com.cn does not resolve to address 121.238.5.110: Name or service not known
Jan 10 08:39:32 mydomain postfix/smtpd[29785]: connect from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29785]: warning: Connection rate limit exceeded: 11 from unknown[121.238.5.110] for service smtp
Reply | Threaded
Open this post in threaded view
|

Re: concurrency rate limit

Wietse Venema
[hidden email]:
> I'm wondering if I have my rate limiting set up correctly. Note I have
> that perl script that sniffs out dynamic IP addresses, so I am not sure
> how this user is even getting concurrent connections.

Postfix receives more than 4 concurrent connections at a rate of
more than 10 connections over some time interval, and closes
excess connections.

If you want to prevent that such connections reach Postfix, then
you need to do that *outside* Postfix, during the TCP handshake.
Postfix does not implement TCP. That happens in the kernel.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: concurrency rate limit

lists@lazygranch.com
Now with that interpretation of the log, this makes sense. I was thinking rate and concurrency were different things.


  Original Message  
From: [hidden email]
Sent: January 11, 2019 4:21 AM
To: [hidden email]
Reply-to: [hidden email]
Subject: Re: concurrency rate limit

[hidden email]:
> I'm wondering if I have my rate limiting set up correctly. Note I have
> that perl script that sniffs out dynamic IP addresses, so I am not sure
> how this user is even getting concurrent connections.

Postfix receives more than 4 concurrent connections at a rate of
more than 10 connections over some time interval, and closes
excess connections.

If you want to prevent that such connections reach Postfix, then
you need to do that *outside* Postfix, during the TCP handshake.
Postfix does not implement TCP. That happens in the kernel.

Wietse
Reply | Threaded
Open this post in threaded view
|

Re: concurrency rate limit

Viktor Dukhovni
> On Jan 11, 2019, at 9:02 AM, Gary <[hidden email]> wrote:
>
> Now with that interpretation of the log, this makes sense. I was thinking rate and concurrency were different things.

They are different things.  Both the rate and the concurrency were exceeded
in the logs you posted.

  * Concurrency = Number of simultaneous connections. (With slight "fuzz"
    as a result of message latency between smtpd(8) and anvil(8) if
    connections are sufficiently short-lived, lasting not much longer than
    the time it takes smtpd(8) to deliver a connection status update to
    anvil(8).  Not a problem in practice.)

  * Rate = connections per time quantum (still subject to message latency,
    but much less important over the longer time scale).

--
        Viktor.