FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 08-18-2012, 04:10 PM
Michelle Konzack
 
Default fail2ban increase loadaverage to 18

Hello Experts,

Since two days I try to use fail2ban because I had several 100000 login
attempts on each of my servers...

Now it increas to several million

In clear, my WHOLE network is attcked!

There are 87 Servers in question (can be reached trough a public IP)
which had in the beginning only attacks of one <rackspace.com> IP which
increased for some days to 4 IPs and now, since last night my servers do
not more respond, I have encountered, that my servers beeing attacked by
more then 20000 IPs with arround 2-10 requsts per second.

fail2ban is trying to block it, but the loadaverage increase to over 18.

The other problem is, that I use a remote syslog daemon and this server
had for 2 hours a loadaverage of >37 and I had to shutdown the server
and used the RSA to clean up the system. It was trying to write more
then 60 MByte of logs (~ 800 files at once) per second

My Internet connectivity is a redunant 10 GE using a CISCO 12008. All
used Switches (16 in total) are 3Com 3C17701 (4924) and I try to block
some traffic at the switches. Works nice, but require heavy manual
intervention..

How do you handel such attacks?

Note: Rackspace has not respond to any of my requestes I have tried to
reach them by telephone, but they pick not up. (is is not the
first time, that servers from <rackspace.com> attack my network)

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/
 
Old 08-18-2012, 05:25 PM
Iain Grant
 
Default fail2ban increase loadaverage to 18

Change your ssh port, and enable key login only.

Or drop the syn packets except from whitelisted IPs.

Iain

On Sat, Aug 18, 2012 at 5:10 PM, Michelle Konzack
<linux4michelle@tamay-dogan.net> wrote:
> Hello Experts,
>
> Since two days I try to use fail2ban because I had several 100000 login
> attempts on each of my servers...
>
> Now it increas to several million
>
> In clear, my WHOLE network is attcked!
>
> There are 87 Servers in question (can be reached trough a public IP)
> which had in the beginning only attacks of one <rackspace.com> IP which
> increased for some days to 4 IPs and now, since last night my servers do
> not more respond, I have encountered, that my servers beeing attacked by
> more then 20000 IPs with arround 2-10 requsts per second.
>
> fail2ban is trying to block it, but the loadaverage increase to over 18.
>
> The other problem is, that I use a remote syslog daemon and this server
> had for 2 hours a loadaverage of >37 and I had to shutdown the server
> and used the RSA to clean up the system. It was trying to write more
> then 60 MByte of logs (~ 800 files at once) per second
>
> My Internet connectivity is a redunant 10 GE using a CISCO 12008. All
> used Switches (16 in total) are 3Com 3C17701 (4924) and I try to block
> some traffic at the switches. Works nice, but require heavy manual
> intervention..
>
> How do you handel such attacks?
>
> Note: Rackspace has not respond to any of my requestes I have tried to
> reach them by telephone, but they pick not up. (is is not the
> first time, that servers from <rackspace.com> attack my network)
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
>
> --
> ##################### Debian GNU/Linux Consultant ######################
> Development of Intranet and Embedded Systems with Debian GNU/Linux
> Internet Service Provider, Cloud Computing
> <http://www.itsystems.tamay-dogan.net/>
> <http://www.debian.tamay-dogan.net/>
>
> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
> Owner Michelle Konzack
>
> Gewerbe Strasse 3 Tel office: +49-176-86004575
> 77694 Kehl Tel mobil: +49-177-9351947
> Germany Tel mobil: +33-6-61925193 (France)
>
> USt-ID: DE 278 049 239
>
> Linux-User #280138 with the Linux Counter, http://counter.li.org/


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAL=9LkVxeE_UvvkoNwiQij2vFEeUyniFwCt=XBjHFiwyB5Akw w@mail.gmail.com
 
Old 08-18-2012, 09:01 PM
Michelle Konzack
 
Default fail2ban increase loadaverage to 18

Hello Iain Grant,

Am 2012-08-18 18:25:43, hacktest Du folgendes herunter:
> Change your ssh port, and enable key login only.
>
> Or drop the syn packets except from whitelisted IPs.

It is not possibel, because I would have to reconfigure over 6000
Programs worldwide to use another SSH port... and then in updates or
reinstallation, I would run into trouble...

> Iain

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/
 
Old 08-18-2012, 09:59 PM
Iain Grant
 
Default fail2ban increase loadaverage to 18

.... err, no, just specify another port, thats not difficult. I do it
all the time.

ssh -p<port>
scp -P<port>
rsync .... -e 'ssh -p<port>' ...

Or edit your ~/.ssh/config for the hosts

No big deal. The port is only the 'standard' port, not the only port possible.

Or you can try my other suggestions.

Iain

On Sat, Aug 18, 2012 at 10:01 PM, Michelle Konzack
<linux4michelle@tamay-dogan.net> wrote:
> Hello Iain Grant,
>
> Am 2012-08-18 18:25:43, hacktest Du folgendes herunter:
>> Change your ssh port, and enable key login only.
>>
>> Or drop the syn packets except from whitelisted IPs.
>
> It is not possibel, because I would have to reconfigure over 6000
> Programs worldwide to use another SSH port... and then in updates or
> reinstallation, I would run into trouble...
>
>> Iain
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
>
> --
> ##################### Debian GNU/Linux Consultant ######################
> Development of Intranet and Embedded Systems with Debian GNU/Linux
> Internet Service Provider, Cloud Computing
> <http://www.itsystems.tamay-dogan.net/>
> <http://www.debian.tamay-dogan.net/>
>
> itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
> Owner Michelle Konzack
>
> Gewerbe Strasse 3 Tel office: +49-176-86004575
> 77694 Kehl Tel mobil: +49-177-9351947
> Germany Tel mobil: +33-6-61925193 (France)
>
> USt-ID: DE 278 049 239
>
> Linux-User #280138 with the Linux Counter, http://counter.li.org/


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAL=9LkXxdT=5M+0Xf3V0zAmMd8_7TvCaxz6N=wnaEUGQWiqa= w@mail.gmail.com
 
Old 08-18-2012, 10:06 PM
Max
 
Default fail2ban increase loadaverage to 18

It is necessary to limit the number of connections to sshwithiptables,
for example:

/sbin/iptables -p tcp -syn -dport 22-m connlimit -connlimit-above 3 -j DROP

18.08.2012 19:10, Michelle Konzack пишет:

Hello Experts,

Since two days I try to use fail2ban because I had several 100000 login
attempts on each of my servers...

Now it increas to several million

In clear, my WHOLE network is attcked!

There are 87 Servers in question (can be reached trough a public IP)
which had in the beginning only attacks of one <rackspace.com> IP which
increased for some days to 4 IPs and now, since last night my servers do
not more respond, I have encountered, that my servers beeing attacked by
more then 20000 IPs with arround 2-10 requsts per second.

fail2ban is trying to block it, but the loadaverage increase to over 18.

The other problem is, that I use a remote syslog daemon and this server
had for 2 hours a loadaverage of >37 and I had to shutdown the server
and used the RSA to clean up the system. It was trying to write more
then 60 MByte of logs (~ 800 files at once) per second

My Internet connectivity is a redunant 10 GE using a CISCO 12008. All
used Switches (16 in total) are 3Com 3C17701 (4924) and I try to block
some traffic at the switches. Works nice, but require heavy manual
intervention..

How do you handel such attacks?

Note: Rackspace has not respond to any of my requestes I have tried to
reach them by telephone, but they pick not up. (is is not the
first time, that servers from <rackspace.com> attack my network)

Thanks, Greetings and nice Day/Evening
Michelle Konzack




--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 503011D7.7030709@ukr.net">http://lists.debian.org/503011D7.7030709@ukr.net
 
Old 08-19-2012, 04:33 PM
Michelle Konzack
 
Default fail2ban increase loadaverage to 18

Hello Iain Grant,

Am 2012-08-18 22:59:13, hacktest Du folgendes herunter:
> .... err, no, just specify another port, thats not difficult. I do it
> all the time.
>
> ssh -p<port>
> scp -P<port>
> rsync .... -e 'ssh -p<port>' ...

...and my customers computers/workstations?

I have to change ALL configs on the customers computers which is higly
impossibel. Same for the embedded surveillance systems, which have to
recompiled and re-certified.

However, all this thing swill not solv the proglem with the source!

I am ongoing to sue <rackspace.com> since they refuse to respond to my
mails. Also I have checked my spamdatabase (IP adresses) and it seems,
that this enterpeise is hosting several 100 spambots.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/
 
Old 08-19-2012, 05:41 PM
Adrian Minta
 
Default fail2ban increase loadaverage to 18

Why don't you block all rackspace prefixes on the border router ?
You could use an acces-list or null route the prefixes.

--
Best regards,
Adrian Minta



--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50312560.8010905@gmail.com">http://lists.debian.org/50312560.8010905@gmail.com
 
Old 08-19-2012, 06:40 PM
Michelle Konzack
 
Default fail2ban increase loadaverage to 18

Hello Max,

Am 2012-08-19 01:06:15, hacktest Du folgendes herunter:
> It is necessary to limit the number of connections to
> sshwithiptables, for example:
> /sbin/iptables -p tcp -syn -dport 22-m connlimit -connlimit-above 3 -j DROP

Oops... I have locked me out!

I am right, this DROP from any IP addresses connections, if there are
more then 3 at the same time?

My automated scripts and several 100 embedded security systems hit the
limits.

Question: Is there a possibility to set a TIME LIMIT
together with the above iptables line?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
Internet Service Provider, Cloud Computing
<http://www.itsystems.tamay-dogan.net/>
<http://www.debian.tamay-dogan.net/>

itsystems@tdnet Jabber linux4michelle@jabber.ccc.de
Owner Michelle Konzack

Gewerbe Strasse 3 Tel office: +49-176-86004575
77694 Kehl Tel mobil: +49-177-9351947
Germany Tel mobil: +33-6-61925193 (France)

USt-ID: DE 278 049 239

Linux-User #280138 with the Linux Counter, http://counter.li.org/
 
Old 08-19-2012, 06:42 PM
Leo Goehrs
 
Default fail2ban increase loadaverage to 18

Null route will not protect the servers from a syn flood, the only way is to null route the attacked servers.
The other possibility is a big fat firewall.

Lo

-----Original Message-----
From: Adrian Minta [mailto:adrian.minta@gmail.com]
Sent: dimanche 19 aot 2012 19:42
To: debian-isp@lists.debian.org
Subject: Re: fail2ban increase loadaverage to 18

Why don't you block all rackspace prefixes on the border router ?
You could use an acces-list or null route the prefixes.

--
Best regards,
Adrian Minta



--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/50312560.8010905@gmail.com


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 952DE7F89E170749AD4BBF678A82A78D0105091543@AL-MEX01-VBO.mail.alionis.fr">http://lists.debian.org/952DE7F89E170749AD4BBF678A82A78D0105091543@AL-MEX01-VBO.mail.alionis.fr
 
Old 08-19-2012, 07:15 PM
Max
 
Default fail2ban increase loadaverage to 18

connlimit - allows you to limit the number of simultaneous open
connections to each IP-address (or subnet).


/iptables/sbin -p tcp -syn -dport 22 -m connlimit -connlimit-above 3 -j DROP

this command allows up to three simultaneous connection requests to our
ssh-server with one IP-address.




19.08.2012 21:40, Michelle Konzack пишет:

Hello Max,

Am 2012-08-19 01:06:15, hacktest Du folgendes herunter:

It is necessary to limit the number of connections to
sshwithiptables, for example:
/iptables/sbin -p tcp -syn -dport 22-m connlimit -connlimit-above 3 -j DROP

Oops... I have locked me out!

I am right, this DROP from any IP addresses connections, if there are
more then 3 at the same time?

My automated scripts and several 100 embedded security systems hit the
limits.

Question: Is there a possibility to set a TIME LIMIT
together with the above iptables line?

Thanks, Greetings and nice Day/Evening
Michelle Konzack




--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 50313B3E.8050503@ukr.net">http://lists.debian.org/50313B3E.8050503@ukr.net
 

Thread Tools




All times are GMT. The time now is 12:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org