Hello. Since a lot of days, maybe, months, ago, one of my servers is crashing, almost everyday. Sometimes, more then once a day.![alt text][1]
That is worrying me a lot.
My lot at /vars/log/messages is full of lines like these below:
Oct 8 13:36:25 host kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:30:48:63:3b:5d:00:1b:0d:ec:8e:40:08:00 SRC=93.150.204.152 DST=00.000.000.000 LEN=60 TOS=0x00 PREC=0x00 TTL=40 ID=33286 DF PROTO=TCP SPT=4957 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 8 13:36:25 host kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:30:48:63:3b:5d:00:1b:0d:ec:8e:40:08:00 SRC=93.150.204.152 DST=00.000.000.000 LEN=60 TOS=0x00 PREC=0x00 TTL=40 ID=14135 DF PROTO=TCP SPT=4959 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 8 13:36:25 host kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:30:48:63:3b:5d:00:1b:0d:ec:8e:40:08:00 SRC=93.150.204.152 DST=00.000.000.000 LEN=60 TOS=0x00 PREC=0x00 TTL=40 ID=63643 DF PROTO=TCP SPT=4958 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 8 13:36:26 host kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:30:48:63:3b:5d:00:1b:0d:ec:8e:40:08:00 SRC=93.150.204.152 DST=00.000.000.000 LEN=60 TOS=0x00 PREC=0x00 TTL=40 ID=4301 DF PROTO=TCP SPT=4960 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 8 13:39:10 host kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:30:48:63:3b:5d:00:1b:0d:ec:8e:40:08:00 SRC=218.30.22.82 DST=00.000.000.000 LEN=404 TOS=0x00 PREC=0x00 TTL=116 ID=34607 PROTO=UDP SPT=1271 DPT=1434 LEN=384
Oct 8 13:40:14 host kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:30:48:63:3b:5d:00:1b:0d:ec:8e:40:08:00 SRC=119.152.144.40 DST=00.000.000.000 LEN=56 TOS=0x00 PREC=0x00 TTL=49 ID=23737 DF PROTO=TCP SPT=2435 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Note that I replace my server's IP by 00.000.000.000.
I aways get a lot or log messages about brute force attack. Failed login attemps...
Can someone give me some Idea, about what to do to solve this problem?
I already have CSF and DDOS deflate installed. But they are not solving the problem.
My server is Cent OS, Apache2
-
It looks like someone is trying to connect via telnet (DPT=23) and SQL(DPT=1434) ports, these REALLY should not be exposed to the internet. I would completly filter them at the firewall. That should at least clean up your logs if the server keeps crashing you can try and see if it is something else.
jl : I believe that UDP protocol on port 1434 would be the SQL Server Browser.From Zypher -
As they are block these connections are not harmful for a DDOS. Logs are only there to let you know who tried to attack you. What is harmful is when the number of half connection opened gets near the limit you specified in your config. What I suggest you is to follow the advice of Zypher and have your firewall to moderate these connections.
From Gopoi
0 comments:
Post a Comment