fail2ban increase loadaverage to 18
Hello Experts,
Since two days I try to use fail2ban because I had several 100000 login attempts on each of my servers... Now it increas to several million In clear, my WHOLE network is attcked! There are 87 Servers in question (can be reached trough a public IP) which had in the beginning only attacks of one <rackspace.com> IP which increased for some days to 4 IPs and now, since last night my servers do not more respond, I have encountered, that my servers beeing attacked by more then 20000 IPs with arround 2-10 requsts per second. fail2ban is trying to block it, but the loadaverage increase to over 18. The other problem is, that I use a remote syslog daemon and this server had for 2 hours a loadaverage of >37 and I had to shutdown the server and used the RSA to clean up the system. It was trying to write more then 60 MByte of logs (~ 800 files at once) per second My Internet connectivity is a redunant 10 GE using a CISCO 12008. All used Switches (16 in total) are 3Com 3C17701 (4924) and I try to block some traffic at the switches. Works nice, but require heavy manual intervention.. How do you handel such attacks? Note: Rackspace has not respond to any of my requestes I have tried to reach them by telephone, but they pick not up. (is is not the first time, that servers from <rackspace.com> attack my network) Thanks, Greetings and nice Day/Evening Michelle Konzack -- ##################### Debian GNU/Linux Consultant ###################### Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing <http://www.itsystems.tamay-dogan.net/> <http://www.debian.tamay-dogan.net/> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ |
fail2ban increase loadaverage to 18
Change your ssh port, and enable key login only.
Or drop the syn packets except from whitelisted IPs. Iain On Sat, Aug 18, 2012 at 5:10 PM, Michelle Konzack <linux4michelle@tamay-dogan.net> wrote: > Hello Experts, > > Since two days I try to use fail2ban because I had several 100000 login > attempts on each of my servers... > > Now it increas to several million > > In clear, my WHOLE network is attcked! > > There are 87 Servers in question (can be reached trough a public IP) > which had in the beginning only attacks of one <rackspace.com> IP which > increased for some days to 4 IPs and now, since last night my servers do > not more respond, I have encountered, that my servers beeing attacked by > more then 20000 IPs with arround 2-10 requsts per second. > > fail2ban is trying to block it, but the loadaverage increase to over 18. > > The other problem is, that I use a remote syslog daemon and this server > had for 2 hours a loadaverage of >37 and I had to shutdown the server > and used the RSA to clean up the system. It was trying to write more > then 60 MByte of logs (~ 800 files at once) per second > > My Internet connectivity is a redunant 10 GE using a CISCO 12008. All > used Switches (16 in total) are 3Com 3C17701 (4924) and I try to block > some traffic at the switches. Works nice, but require heavy manual > intervention.. > > How do you handel such attacks? > > Note: Rackspace has not respond to any of my requestes I have tried to > reach them by telephone, but they pick not up. (is is not the > first time, that servers from <rackspace.com> attack my network) > > Thanks, Greetings and nice Day/Evening > Michelle Konzack > > -- > ##################### Debian GNU/Linux Consultant ###################### > Development of Intranet and Embedded Systems with Debian GNU/Linux > Internet Service Provider, Cloud Computing > <http://www.itsystems.tamay-dogan.net/> > <http://www.debian.tamay-dogan.net/> > > itsystems@tdnet Jabber linux4michelle@jabber.ccc.de > Owner Michelle Konzack > > Gewerbe Strasse 3 Tel office: +49-176-86004575 > 77694 Kehl Tel mobil: +49-177-9351947 > Germany Tel mobil: +33-6-61925193 (France) > > USt-ID: DE 278 049 239 > > Linux-User #280138 with the Linux Counter, http://counter.li.org/ -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/CAL=9LkVxeE_UvvkoNwiQij2vFEeUyniFwCt=XBjHFiwyB5Akw w@mail.gmail.com |
fail2ban increase loadaverage to 18
Hello Iain Grant,
Am 2012-08-18 18:25:43, hacktest Du folgendes herunter: > Change your ssh port, and enable key login only. > > Or drop the syn packets except from whitelisted IPs. It is not possibel, because I would have to reconfigure over 6000 Programs worldwide to use another SSH port... and then in updates or reinstallation, I would run into trouble... > Iain Thanks, Greetings and nice Day/Evening Michelle Konzack -- ##################### Debian GNU/Linux Consultant ###################### Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing <http://www.itsystems.tamay-dogan.net/> <http://www.debian.tamay-dogan.net/> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ |
fail2ban increase loadaverage to 18
.... err, no, just specify another port, thats not difficult. I do it
all the time. ssh -p<port> scp -P<port> rsync .... -e 'ssh -p<port>' ... Or edit your ~/.ssh/config for the hosts No big deal. The port is only the 'standard' port, not the only port possible. Or you can try my other suggestions. Iain On Sat, Aug 18, 2012 at 10:01 PM, Michelle Konzack <linux4michelle@tamay-dogan.net> wrote: > Hello Iain Grant, > > Am 2012-08-18 18:25:43, hacktest Du folgendes herunter: >> Change your ssh port, and enable key login only. >> >> Or drop the syn packets except from whitelisted IPs. > > It is not possibel, because I would have to reconfigure over 6000 > Programs worldwide to use another SSH port... and then in updates or > reinstallation, I would run into trouble... > >> Iain > > Thanks, Greetings and nice Day/Evening > Michelle Konzack > > -- > ##################### Debian GNU/Linux Consultant ###################### > Development of Intranet and Embedded Systems with Debian GNU/Linux > Internet Service Provider, Cloud Computing > <http://www.itsystems.tamay-dogan.net/> > <http://www.debian.tamay-dogan.net/> > > itsystems@tdnet Jabber linux4michelle@jabber.ccc.de > Owner Michelle Konzack > > Gewerbe Strasse 3 Tel office: +49-176-86004575 > 77694 Kehl Tel mobil: +49-177-9351947 > Germany Tel mobil: +33-6-61925193 (France) > > USt-ID: DE 278 049 239 > > Linux-User #280138 with the Linux Counter, http://counter.li.org/ -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/CAL=9LkXxdT=5M+0Xf3V0zAmMd8_7TvCaxz6N=wnaEUGQWiqa= w@mail.gmail.com |
fail2ban increase loadaverage to 18
It is necessary to limit the number of connections to sshwithiptables,
for example: /sbin/iptables -p tcp -syn -dport 22-m connlimit -connlimit-above 3 -j DROP 18.08.2012 19:10, Michelle Konzack пишет: Hello Experts, Since two days I try to use fail2ban because I had several 100000 login attempts on each of my servers... Now it increas to several million In clear, my WHOLE network is attcked! There are 87 Servers in question (can be reached trough a public IP) which had in the beginning only attacks of one <rackspace.com> IP which increased for some days to 4 IPs and now, since last night my servers do not more respond, I have encountered, that my servers beeing attacked by more then 20000 IPs with arround 2-10 requsts per second. fail2ban is trying to block it, but the loadaverage increase to over 18. The other problem is, that I use a remote syslog daemon and this server had for 2 hours a loadaverage of >37 and I had to shutdown the server and used the RSA to clean up the system. It was trying to write more then 60 MByte of logs (~ 800 files at once) per second My Internet connectivity is a redunant 10 GE using a CISCO 12008. All used Switches (16 in total) are 3Com 3C17701 (4924) and I try to block some traffic at the switches. Works nice, but require heavy manual intervention.. How do you handel such attacks? Note: Rackspace has not respond to any of my requestes I have tried to reach them by telephone, but they pick not up. (is is not the first time, that servers from <rackspace.com> attack my network) Thanks, Greetings and nice Day/Evening Michelle Konzack -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 503011D7.7030709@ukr.net">http://lists.debian.org/503011D7.7030709@ukr.net |
fail2ban increase loadaverage to 18
Hello Iain Grant,
Am 2012-08-18 22:59:13, hacktest Du folgendes herunter: > .... err, no, just specify another port, thats not difficult. I do it > all the time. > > ssh -p<port> > scp -P<port> > rsync .... -e 'ssh -p<port>' ... ...and my customers computers/workstations? I have to change ALL configs on the customers computers which is higly impossibel. Same for the embedded surveillance systems, which have to recompiled and re-certified. However, all this thing swill not solv the proglem with the source! I am ongoing to sue <rackspace.com> since they refuse to respond to my mails. Also I have checked my spamdatabase (IP adresses) and it seems, that this enterpeise is hosting several 100 spambots. Thanks, Greetings and nice Day/Evening Michelle Konzack -- ##################### Debian GNU/Linux Consultant ###################### Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing <http://www.itsystems.tamay-dogan.net/> <http://www.debian.tamay-dogan.net/> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ |
fail2ban increase loadaverage to 18
Why don't you block all rackspace prefixes on the border router ?
You could use an acces-list or null route the prefixes. -- Best regards, Adrian Minta -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 50312560.8010905@gmail.com">http://lists.debian.org/50312560.8010905@gmail.com |
fail2ban increase loadaverage to 18
Hello Max,
Am 2012-08-19 01:06:15, hacktest Du folgendes herunter: > It is necessary to limit the number of connections to > sshwithiptables, for example: > /sbin/iptables -p tcp -syn -dport 22-m connlimit -connlimit-above 3 -j DROP Oops... I have locked me out! I am right, this DROP from any IP addresses connections, if there are more then 3 at the same time? My automated scripts and several 100 embedded security systems hit the limits. Question: Is there a possibility to set a TIME LIMIT together with the above iptables line? Thanks, Greetings and nice Day/Evening Michelle Konzack -- ##################### Debian GNU/Linux Consultant ###################### Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing <http://www.itsystems.tamay-dogan.net/> <http://www.debian.tamay-dogan.net/> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ |
fail2ban increase loadaverage to 18
Null route will not protect the servers from a syn flood, the only way is to null route the attacked servers.
The other possibility is a big fat firewall. Léo -----Original Message----- From: Adrian Minta [mailto:adrian.minta@gmail.com] Sent: dimanche 19 août 2012 19:42 To: debian-isp@lists.debian.org Subject: Re: fail2ban increase loadaverage to 18 Why don't you block all rackspace prefixes on the border router ? You could use an acces-list or null route the prefixes. -- Best regards, Adrian Minta -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/50312560.8010905@gmail.com -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 952DE7F89E170749AD4BBF678A82A78D0105091543@AL-MEX01-VBO.mail.alionis.fr">http://lists.debian.org/952DE7F89E170749AD4BBF678A82A78D0105091543@AL-MEX01-VBO.mail.alionis.fr |
fail2ban increase loadaverage to 18
connlimit - allows you to limit the number of simultaneous open
connections to each IP-address (or subnet). /iptables/sbin -p tcp -syn -dport 22 -m connlimit -connlimit-above 3 -j DROP this command allows up to three simultaneous connection requests to our ssh-server with one IP-address. 19.08.2012 21:40, Michelle Konzack пишет: Hello Max, Am 2012-08-19 01:06:15, hacktest Du folgendes herunter: It is necessary to limit the number of connections to sshwithiptables, for example: /iptables/sbin -p tcp -syn -dport 22-m connlimit -connlimit-above 3 -j DROP Oops... I have locked me out! I am right, this DROP from any IP addresses connections, if there are more then 3 at the same time? My automated scripts and several 100 embedded security systems hit the limits. Question: Is there a possibility to set a TIME LIMIT together with the above iptables line? Thanks, Greetings and nice Day/Evening Michelle Konzack -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 50313B3E.8050503@ukr.net">http://lists.debian.org/50313B3E.8050503@ukr.net |
| All times are GMT. The time now is 12:27 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.