machine hangs on occasion - correlated with ssh break-in
derek at computinginnovations.com
Fri Aug 22 08:04:17 UTC 2008
At 12:38 PM 8/21/2008, Mikhail Teterin wrote:
>A machine I manage remotely for a friend comes under a distributed ssh
>break-in attack every once in a while. Annoyed (and alarmed) by the
>Aug 12 10:21:17 symbion sshd: Invalid user mythtv from 18.104.22.168
>Aug 12 10:21:18 symbion sshd: Invalid user mythtv from 22.214.171.124
>Aug 12 10:21:20 symbion sshd: Invalid user mythtv from 126.96.36.199
>Aug 12 10:21:21 symbion sshd: Invalid user mythtv from 188.8.131.52
>I wrote an awk-script, which adds a block of the attacking IP-address to
>the ipfw-rules after three such "invalid user" attempts with:
> ipfw add 550 deny ip from ip
>The script is fed by syslogd directly -- through a syslog.conf rule
>Once in a while I manually flush these rules... I this a good (safe) reaction?
>I'm asking, because the machine (currently running 7.0 as of July 7) hangs
>solid once every few weeks... My only guess is that a spike in attacks
>causes "too many" ipfw-entries created, which paralyzes the kernel due to
>some bug -- the machine is running natd and is the gateway for the rest of
>The hangs could, of course, be caused by something else entirely, but my
>self-defense mechanism is my first suspect...
>Any comments? Thanks!
I doubt it is your script, or syslog causing the crash. It is likely a
hardware problem of some type if you have this server completely patched
and up-to-date for security patches. I would look at the memory, ethernet,
hard disk, or power supply as the most likely candidates.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the freebsd-stable