-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-04-25 at 10:29 +0100, G.T.Smith wrote:
Disabling ftp will solve first cause... but there is something of more concern here...
Occasionally I need to enable external ssh access. When I enable external ssh access, I usually get ssh scan attacks. They do not normally make a heavy impact on network or server load..
There is a new rule in the susefirewall2 script to handle repeated attempts; I mentioned it the other day. Before that we had to do it by hand.
What I do not get is the subsequent high level of DNS error responses if an address not resolvable. This may be because the way my DNS setup is configured, or I am just lucky. The extra traffic (1 DNS resolution request seems to have generated 14 responses) and the associated overheads is effectively a DoS attack, but for this effect to be experienced either the settings of the DNS servers queried or the DNS settings of the target server are not quit right . This could cause problems not just in this scan attack but for anything that needs to resolve an address and the address is not resolvable (sending a raft of mail from an unresolvable or spoofed address could have a similar effect). That is worrying...
But this is not the fault of the atacked DNS. The first dns error message is this: Apr 22 11:14:55 bonza named[5250]: unexpected RCODE (SERVFAIL) resolving '110.241.101.216.in-addr.arpa/PTR/IN': 66.76.2.130#53 If you try yourself that IP, you will get an error: cer@nimrodel:~> host 216.101.241.110 Host 110.241.101.216.in-addr.arpa not found: 2(SERVFAIL) And if I look at my '/var/lib/named/log/named-lame-servers' file I see those same log entries he got: 25-Apr-2007 11:49:59.332 info: unexpected RCODE (SERVFAIL) resolving '110.241.101.216.in-addr.arpa/PTR/IN': 80.58.61.254#53 25-Apr-2007 11:50:00.386 info: unexpected RCODE (SERVFAIL) resolving '110.241.101.216.in-addr.arpa/PTR/IN': 80.58.61.250#53 25-Apr-2007 11:50:00.838 info: lame server resolving '110.241.101.216.in-addr.arpa' (in '241.101.216.in-addr.arpa'?): 206.13.29.11#53 25-Apr-2007 11:50:01.556 info: lame server resolving '110.241.101.216.in-addr.arpa' (in '241.101.216.in-addr.arpa'?): 206.13.28.11#53 25-Apr-2007 11:50:01.830 info: unexpected RCODE (REFUSED) resolving '110.241.101.216.in-addr.arpa/PTR/IN': 63.192.50.218#53 25-Apr-2007 11:50:02.518 info: unexpected RCODE (REFUSED) resolving '110.241.101.216.in-addr.arpa/PTR/IN': 198.69.181.18#53 So there is nothing wrong with his DNS or those of his providers; the fault is with the atacker DNS! "Hey, please, Mr. Bad Guy, would you please correct your DNS entries before attacking me, please?" ;-) :-p Why the OP gets 5 rcode entries and me two (before the lame error) might have to do with the number of forwarders in his definition. The first block in my case corresponds to the forwarders, the second I don't know; in any case, they are DNS servers my daemon interrogated. But the culprit one is that of the atacckers, not any dns in our side. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGLykmtTMYHG2NR9URAv6KAJ0ZXa1hUBm+xicLely/R+XImaSD5wCgi7Ut ZIdR3oBBppiabtrrUVLYE74= =ToyH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org