Crashing Nameservers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

The apf firewall with bfd brute force detection will parse your
/var/log/secure file and insert a block on any offending IP that tries
repeated attacks according to your configuration.  This checking is done
every minute and it can email you a warning.  I get these a few times a
day and currently have almost 800 IPs blocked.

Then of course if someone in a company that uses your system wants to make
life difficult for colleagues, they can always promote a block but since
you can keep the emails for ever and they list all the accounts tried, you
have the evidence...:-)

Have a look at http://www.r-fx.org and follow the links to apf and bfd.
The software is available under GPL but there is also a service that can
be purchased at reasonable rates.

Best wishes

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon@xxxxxxxxxxxxxxxxxxxx              a.einstein@xxxxxxxxxxxxxx
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com


On Fri, 30 Dec 2005, John Hinton wrote:

> John Hinton wrote:
> 
> > Had two nameservers crash in the last few hours... This 'never' 
> > happens! On the console was
> >
> > sent an invalid ICMP type 3, code 3 error to a broadcast: 
> > 255.255.255.255 on eth0
> >
> > sent an invalid ICMP type 3, code 3 error to a broadcast: 
> > 255.255.254.255 on eth0
> >
> > with the IP address of the offender? in front of that line. Any ideas?
> >
> > Best,
> > John Hinton
> 
> And a bit more info.
> 
> Seems that maybe it just happened to be nameservers. Found this in the 
> logs repeated over and over for thousands of lines.
> 
> Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> 
> Seems I'm experiencing a DoS against vsftp login. Anybody got a good way 
> to limit the number of failed login attempts by one IP address?
> 
> Thanks,
> John Hinton
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux