Mike McMullen wrote:
----- Original Message ----- From: "Mike McMullen"
<mlm(a)loanprocessing.net>
>
> Hi All,
>
> I am experiencing occasional hangs on an FC4 web server that is
> also a name server. After rebooting the only thing I see in the logs
> are about a zillion messages from named stating "RCODE (SERVFAIL)".
>
> Here is an example:
>
> Jul 14 02:03:37 www named[1652]: unexpected RCODE (SERVFAIL)
> resolving '52.134.78.140.in-addr.arpa/PTR/IN': 140.78.2.62#53
>
> These messages go on for about 15-18 minutes and then the system hangs.
>
> I'm assuming it's some type of hacking attempt.
>
> Can anyone give me some insight on what might be happening here and
> better
> yet how to prevent it?
>
> Thanks,
>
> Mike
Reviewing the logs more closely I also see brute force attempts on
sshd. I have a rule
set up in iptables to disable login attempts for 1 minute if there are
3 attempts a minute.
The logs show the same site being blocked and then trying again about
5 minutes later.
However, the system hang occurs about 7-8 minutes after the last ssh
attempt and about
a 100-200 RCODE errors later.
Any help appreciated!
Mike
Maybe you should look into denyhosts. I believe it's in the Extras
repository, and you can configure it to deny access to sshd from any IP
address that repeatedly fails logins (brute force attacks). There's also
a configuration option that allows you to block all internet services to
that IP address.
Sorry I can't help you with why your system is hanging, but if you're
not being brute force attacked, maybe your system won't hang anymore.
Hope this helps,
Justin Willmert