FC4, named & system hang
Justin Willmert
justin at jdjlab.com
Fri Jul 14 15:33:44 UTC 2006
Mike McMullen wrote:
>
> ----- Original Message ----- From: "Mike McMullen"
> <mlm at loanprocessing.net>
>
>
>>
>> Hi All,
>>
>> I am experiencing occasional hangs on an FC4 web server that is
>> also a name server. After rebooting the only thing I see in the logs
>> are about a zillion messages from named stating "RCODE (SERVFAIL)".
>>
>> Here is an example:
>>
>> Jul 14 02:03:37 www named[1652]: unexpected RCODE (SERVFAIL)
>> resolving '52.134.78.140.in-addr.arpa/PTR/IN': 140.78.2.62#53
>>
>> These messages go on for about 15-18 minutes and then the system hangs.
>>
>> I'm assuming it's some type of hacking attempt.
>>
>> Can anyone give me some insight on what might be happening here and
>> better
>> yet how to prevent it?
>>
>> Thanks,
>>
>> Mike
>
> Reviewing the logs more closely I also see brute force attempts on
> sshd. I have a rule
> set up in iptables to disable login attempts for 1 minute if there are
> 3 attempts a minute.
>
> The logs show the same site being blocked and then trying again about
> 5 minutes later.
>
> However, the system hang occurs about 7-8 minutes after the last ssh
> attempt and about
> a 100-200 RCODE errors later.
>
> Any help appreciated!
>
> Mike
>
>
Maybe you should look into denyhosts. I believe it's in the Extras
repository, and you can configure it to deny access to sshd from any IP
address that repeatedly fails logins (brute force attacks). There's also
a configuration option that allows you to block all internet services to
that IP address.
Sorry I can't help you with why your system is hanging, but if you're
not being brute force attacked, maybe your system won't hang anymore.
Hope this helps,
Justin Willmert
More information about the users
mailing list