syn flood attacked?
Hello list, I have a heavy smtp server and recently I got a lot messages like May 17 22:53:24 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:54:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:55:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:56:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:57:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 23:03:11 ms2 kernel: possible SYN flooding on port 25. Sending cookies. When I use netstat to grep the smtp connection, I lots of ms2:~# netstat -ant | grep SYN_RECV | wc -l 2539 Am I being syn flood attacked? How can I get rid of this? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
gdm and pam_group problem
Haven't found a solution in any searches I've done thus far, so here's my problem: Given: - 1 workstation running gdm 2.2.5.5-2 (and pam 0.72-35), offering XDMCP access to selected other X Terminals, and also allowing gdm logins on the local console. - 1 remote X Terminal (soon to be several) which connects to the above workstation via XDMCP. The problem is that I'd like for users logging in locally via gdm to be added to the various audio, floppy, etc. groups so that they have access to the normal sound and removable media devices on the workstation. However, I'd like for users logging in remotely via gdm (the X Terminal users) to *not* get any special access to the hardware. Here's my line from /etc/security/group.conf: gdm; :*; *; Al-2400; audio,floppy,video,cdrom I have verified that a remote login gets tty set to 'remoteterm:0', for example, and a local login gets tty set to ':0'. I'd have thought that the ':*' would match ':0', but not 'remoteterm:0', but it apparently matches both according to the pam debug log. Any ideas, including a more appropriate list to ask these questions? If at all possible, I'd really rather not install xdm for remote logins, and gdm for local. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Fri, May 17, 2002 at 11:44:16PM +0800, Patrick Hsieh wrote: Hello list, I have a heavy smtp server and recently I got a lot messages like May 17 22:53:24 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:54:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:55:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:56:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:57:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 23:03:11 ms2 kernel: possible SYN flooding on port 25. Sending cookies. When I use netstat to grep the smtp connection, I lots of ms2:~# netstat -ant | grep SYN_RECV | wc -l 2539 Am I being syn flood attacked? How can I get rid of this? Hello In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) -- Michael carstein Melewski | One day, he said, in a taped segment [EMAIL PROTECTED] | that suggested chemical interrogation, mobile: 502 545 913 | everything had gone gray. gpg: carstein.c.pl/carstein.txt | -- Corto , 'Neuromancer' msg06769/pgp0.pgp Description: PGP signature
Re: syn flood attacked?
On Fri, 17 May 2002, Michal Melewski wrote: May 17 23:03:11 ms2 kernel: possible SYN flooding on port 25. Sending cookies. Am I being syn flood attacked? How can I get rid of this? Hello In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) It is activated... it's called cookies, as show above. For more informations, read this documentation: http://cr.yp.to/syncookies.html Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Fri, May 17, 2002 at 12:46:46PM -0700, Greg Hunt wrote: echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. IIRC, you can also (at least in Debian) add the line 'syncookies=yes' to /etc/network/options. --j msg06772/pgp0.pgp Description: PGP signature
Re: syn flood attacked?
IIRC, you can also (at least in Debian) add the line 'syncookies=yes' to /etc/network/options. after making this change, what service must I restart to make the change take effect? thanks jmb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Fri, May 17, 2002 at 04:38:24PM -0500, JonesMB wrote: IIRC, you can also (at least in Debian) add the line 'syncookies=yes' to /etc/network/options. after making this change, what service must I restart to make the change take effect? None, the changes are in kernel space. Just make sure you echo 1 /proc/sys/net/ipv4/tcp_syncookies so the change will effect the running kernel. Adding syncookies=yes to /etc/network/options does that at boot time. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg06774/pgp0.pgp Description: PGP signature
Re: syn flood attacked?
/etc/init.d/networking takes care of it but the option is set by default to no in /etc/network/options ~mark - Original Message - From: Greg Hunt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 17, 2002 12:46 PM Subject: Re: syn flood attacked? echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
Hello Mark Lanett [EMAIL PROTECTED], Any other options available in /etc/network/options? And, is it possible to restrict the max. number of cuncurrent SYN_RECV packet in the system or max. burst number in a limited time? Any examples? On Fri, 17 May 2002 14:55:05 -0700 Mark Lanett [EMAIL PROTECTED] wrote: /etc/init.d/networking takes care of it but the option is set by default to no in /etc/network/options ~mark - Original Message - From: Greg Hunt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 17, 2002 12:46 PM Subject: Re: syn flood attacked? echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Sat, May 18, 2002 at 08:48:21AM +0800, Patrick Hsieh wrote: Hello Mark Lanett [EMAIL PROTECTED], Any other options available in /etc/network/options? And, is it possible to restrict the max. number of cuncurrent SYN_RECV packet in the system or max. burst number in a limited time? Any examples? read /usr/src/linux/Documentation/filesystems/proc.txt. It describes some stuff you can do with /proc/sys/net/ipv4/* /usr/src/linux/Documentation/networking/ip-sysctl.txt describes everything. happy hacking, -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
syn flood attacked?
Hello list, I have a heavy smtp server and recently I got a lot messages like May 17 22:53:24 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:54:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:55:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:56:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 22:57:25 ms2 kernel: possible SYN flooding on port 25. Sending cookies. May 17 23:03:11 ms2 kernel: possible SYN flooding on port 25. Sending cookies. When I use netstat to grep the smtp connection, I lots of ms2:~# netstat -ant | grep SYN_RECV | wc -l 2539 Am I being syn flood attacked? How can I get rid of this? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Fri, 17 May 2002, Michal Melewski wrote: May 17 23:03:11 ms2 kernel: possible SYN flooding on port 25. Sending cookies. Am I being syn flood attacked? How can I get rid of this? Hello In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) It is activated... it's called cookies, as show above. For more informations, read this documentation: http://cr.yp.to/syncookies.html Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Fri, May 17, 2002 at 12:46:46PM -0700, Greg Hunt wrote: echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. IIRC, you can also (at least in Debian) add the line 'syncookies=yes' to /etc/network/options. --j pgpcW1NoQnnCM.pgp Description: PGP signature
Re: syn flood attacked?
IIRC, you can also (at least in Debian) add the line 'syncookies=yes' to /etc/network/options. after making this change, what service must I restart to make the change take effect? thanks jmb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Fri, May 17, 2002 at 04:38:24PM -0500, JonesMB wrote: IIRC, you can also (at least in Debian) add the line 'syncookies=yes' to /etc/network/options. after making this change, what service must I restart to make the change take effect? None, the changes are in kernel space. Just make sure you echo 1 /proc/sys/net/ipv4/tcp_syncookies so the change will effect the running kernel. Adding syncookies=yes to /etc/network/options does that at boot time. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpPsHBxeAERQ.pgp Description: PGP signature
Re: syn flood attacked?
/etc/init.d/networking takes care of it but the option is set by default to no in /etc/network/options ~mark - Original Message - From: Greg Hunt [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Friday, May 17, 2002 12:46 PM Subject: Re: syn flood attacked? echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
Hello Mark Lanett [EMAIL PROTECTED], Any other options available in /etc/network/options? And, is it possible to restrict the max. number of cuncurrent SYN_RECV packet in the system or max. burst number in a limited time? Any examples? On Fri, 17 May 2002 14:55:05 -0700 Mark Lanett [EMAIL PROTECTED] wrote: /etc/init.d/networking takes care of it but the option is set by default to no in /etc/network/options ~mark - Original Message - From: Greg Hunt [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Friday, May 17, 2002 12:46 PM Subject: Re: syn flood attacked? echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Sat, May 18, 2002 at 08:48:21AM +0800, Patrick Hsieh wrote: Hello Mark Lanett [EMAIL PROTECTED], Any other options available in /etc/network/options? And, is it possible to restrict the max. number of cuncurrent SYN_RECV packet in the system or max. burst number in a limited time? Any examples? read /usr/src/linux/Documentation/filesystems/proc.txt. It describes some stuff you can do with /proc/sys/net/ipv4/* /usr/src/linux/Documentation/networking/ip-sysctl.txt describes everything. happy hacking, -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]