Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] HELP ! YOU-Update on SuSE 8.1 firewall did somethingeval to my kernel
  • From: Philipp Rusch <Philipp.Rusch@xxxxxxxxxxxx>
  • Date: Wed, 10 Sep 2003 13:14:40 +0200
  • Message-id: <3F5F07A0.94A70BF2@xxxxxxxxxxxx>
Thanks, great tip !
I will try out the arp cache config immediately.

That "worm attack" started on Sept. 5th as I noticed now when
investigating further in the logs (working on backwards ...)
So nothing that came from the update, since that was done on the 9th.
Hmmm, double checked the complete LAN (ca. 58 NT4 boxes) with
McAfee 4291 DAT (most recent) and found nothing suspicious yesterday.
Although we are not done with the RPC patches at all workstations.
Is this an udp port that ms-blaster is using ? and I thought it uses only tcp
port 135 or 445 (smb-shares ?)
All I open up in my firewall config is port 22 (ssh) and the ports 8080/8090
and 3128 for the different proxy setups (historical).
Then there are some 515 (LAN-printers from company Intranet), but that's
all ... there should be some DROPS or REJECTS from the firewall,
but I didn't notice such ...

Still searching,
Philipp





Sven 'Darkman' Michels schrieb:

> Philipp Rusch wrote:
> > Hi all,
> >
> > yesterday I updated my SuSE 8.1 system with the recommended (auto) updates
> > through YOU. I noticed that there was a kernel update in the list, but I didn't mind.
> >
> > Today, when under stress, my firewall gives hundres of messages like:
> >
> > Sep 10 11:53:27 proxy1 kernel: NET: 39 messages suppressed.
> >
> > I did NOT change a thing besides those updates and rebooted.
> > The firewall is done through iptables and configured with the "shorewall" script which
> > have been in use for over a year now without any problems.
> > Now the firewall simply stops after a certain while.
> >
> > Unfotunately I cannot log in because the SSH process is crashing as well and I am
> > not on site, but I managed to get the logs via email.
> >
> > Any hint / help is appreciated very much.
>
> This is not a kernel Bug. I would say you've some kind of worm
> inside your network. Dunno which one exactly but i've seen it on
> many routers in the last 3 weeks (would say blaster or sobig). The
> "solution" beside removing the worm is simple:
> make your arp cache table bigger to hold more arp entrys.
> This can be done by:
> echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
> echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
> echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
>
> this should be ok for now. Hopefully your RAM isn't full at all ;)
> Your Box will work ok again and the errors should be gone. After
> that please check for the worm. The worm pings your local network
> (any ip) and so you'll get many incomplete arp entries. You can
> check that (if you have access again to the box) with the arp
> command. If you want, you can track how many entries in your
> cache by arp -an | wc -l (and you'll see that it increases up
> to more than 1024, the old default maximum).
>
> HTHm
> SVen
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >