John Hinton wrote: > Had two nameservers crash in the last few hours... This 'never' > happens! On the console was > > sent an invalid ICMP type 3, code 3 error to a broadcast: > 255.255.255.255 on eth0 > > sent an invalid ICMP type 3, code 3 error to a broadcast: > 255.255.254.255 on eth0 > > with the IP address of the offender? in front of that line. Any ideas? > > Best, > John Hinton And a bit more info. Seems that maybe it just happened to be nameservers. Found this in the logs repeated over and over for thousands of lines. Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 Seems I'm experiencing a DoS against vsftp login. Anybody got a good way to limit the number of failed login attempts by one IP address? Thanks, John Hinton