At 12:38 PM 8/21/2008, Mikhail Teterin wrote:
Hello!
A machine I manage remotely for a friend comes under a distributed ssh
break-in attack every once in a while. Annoyed (and alarmed) by the
messages like:
Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
I wrote an awk-script, which adds a block of the attacking IP-address to
the ipfw-rules after three such invalid user attempts with:
ipfw add 550 deny ip from ip
The script is fed by syslogd directly -- through a syslog.conf rule
(|/opt/sbin/auth-log-watch).
Once in a while I manually flush these rules... I this a good (safe) reaction?
I'm asking, because the machine (currently running 7.0 as of July 7) hangs
solid once every few weeks... My only guess is that a spike in attacks
causes too many ipfw-entries created, which paralyzes the kernel due to
some bug -- the machine is running natd and is the gateway for the rest of
the network...
The hangs could, of course, be caused by something else entirely, but my
self-defense mechanism is my first suspect...
Any comments? Thanks!
-mi
I doubt it is your script, or syslog causing the crash. It is likely a
hardware problem of some type if you have this server completely patched
and up-to-date for security patches. I would look at the memory, ethernet,
hard disk, or power supply as the most likely candidates.
-Derek
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
