machine hangs on occasion - correlated with ssh break-in attempts
mi+mill at aldan.algebra.com
Thu Aug 21 18:05:27 UTC 2008
A machine I manage remotely for a friend comes under a distributed ssh
break-in attack every once in a while. Annoyed (and alarmed) by the
Aug 12 10:21:17 symbion sshd: Invalid user mythtv from 22.214.171.124
Aug 12 10:21:18 symbion sshd: Invalid user mythtv from 126.96.36.199
Aug 12 10:21:20 symbion sshd: Invalid user mythtv from 188.8.131.52
Aug 12 10:21:21 symbion sshd: Invalid user mythtv from 184.108.40.206
I wrote an awk-script, which adds a block of the attacking IP-address to
the ipfw-rules after three such "invalid user" attempts with:
ipfw add 550 deny ip from ip
The script is fed by syslogd directly -- through a syslog.conf rule
Once in a while I manually flush these rules... I this a good (safe)
I'm asking, because the machine (currently running 7.0 as of July 7)
hangs solid once every few weeks... My only guess is that a spike in
attacks causes "too many" ipfw-entries created, which paralyzes the
kernel due to some bug -- the machine is running natd and is the gateway
for the rest of the network...
The hangs could, of course, be caused by something else entirely, but my
self-defense mechanism is my first suspect...
Any comments? Thanks!
More information about the freebsd-stable