Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 21 Aug 2008 13:28:22 -0500
From:      Derek Ragona <derek@computinginnovations.com>
To:        Mikhail Teterin <mi+mill@aldan.algebra.com>, freebsd-security@freebsd.org,  freebsd-stable@freebsd.org
Subject:   Re: machine hangs on occasion - correlated with ssh break-in attempts
Message-ID:  <6.0.0.22.2.20080821132630.026c6a48@mail.computinginnovations.com>
In-Reply-To: <48ADA81E.7090106@aldan.algebra.com>
References:  <48ADA81E.7090106@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 12:38 PM 8/21/2008, Mikhail Teterin wrote:
>Hello!
>
>A machine I manage remotely for a friend comes under a distributed ssh 
>break-in attack every once in a while. Annoyed (and alarmed) by the 
>messages like:
>
>Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
>Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
>Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
>Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
>
>I wrote an awk-script, which adds a block of the attacking IP-address to 
>the ipfw-rules after three such "invalid user" attempts with:
>
>    ipfw add 550 deny ip from ip
>
>The script is fed by syslogd directly -- through a syslog.conf rule 
>("|/opt/sbin/auth-log-watch").
>
>Once in a while I manually flush these rules... I this a good (safe) reaction?
>I'm asking, because the machine (currently running 7.0 as of July 7) hangs 
>solid once every few weeks... My only guess is that a spike in attacks 
>causes "too many" ipfw-entries created, which paralyzes the kernel due to 
>some bug -- the machine is running natd and is the gateway for the rest of 
>the network...
>The hangs could, of course, be caused by something else entirely, but my 
>self-defense mechanism is my first suspect...
>
>Any comments? Thanks!
>
>    -mi

I doubt it is your script, or syslog causing the crash.  It is likely a 
hardware problem of some type if you have this server completely patched 
and up-to-date for security patches.  I would look at the memory, ethernet, 
hard disk, or power supply as the most likely candidates.

         -Derek

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20080821132630.026c6a48>