[CentOS] Crashing Nameservers

Mon Jan 2 18:24:13 UTC 2006
John Logsdon <j.logsdon at quantex-research.com>

The apf firewall with bfd brute force detection will parse your
/var/log/secure file and insert a block on any offending IP that tries
repeated attacks according to your configuration.  This checking is done
every minute and it can email you a warning.  I get these a few times a
day and currently have almost 800 IPs blocked.

Then of course if someone in a company that uses your system wants to make
life difficult for colleagues, they can always promote a block but since
you can keep the emails for ever and they list all the accounts tried, you
have the evidence...:-)

Have a look at http://www.r-fx.org and follow the links to apf and bfd.
The software is available under GPL but there is also a service that can
be purchased at reasonable rates.

Best wishes

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon at quantex-research.com              a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com


On Fri, 30 Dec 2005, John Hinton wrote:

> John Hinton wrote:
> 
> > Had two nameservers crash in the last few hours... This 'never' 
> > happens! On the console was
> >
> > sent an invalid ICMP type 3, code 3 error to a broadcast: 
> > 255.255.255.255 on eth0
> >
> > sent an invalid ICMP type 3, code 3 error to a broadcast: 
> > 255.255.254.255 on eth0
> >
> > with the IP address of the offender? in front of that line. Any ideas?
> >
> > Best,
> > John Hinton
> 
> And a bit more info.
> 
> Seems that maybe it just happened to be nameservers. Found this in the 
> logs repeated over and over for thousands of lines.
> 
> Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
> Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
> Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: authentication 
> failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
> 
> Seems I'm experiencing a DoS against vsftp login. Anybody got a good way 
> to limit the number of failed login attempts by one IP address?
> 
> Thanks,
> John Hinton
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>