Mike McMullen wrote:
----- Original Message ----- From: "Mike McMullen"
<mlm@xxxxxxxxxxxxxxxxxx>
Hi All,
I am experiencing occasional hangs on an FC4 web server that is
also a name server. After rebooting the only thing I see in the logs
are about a zillion messages from named stating "RCODE (SERVFAIL)".
Here is an example:
Jul 14 02:03:37 www named[1652]: unexpected RCODE (SERVFAIL)
resolving '52.134.78.140.in-addr.arpa/PTR/IN': 140.78.2.62#53
These messages go on for about 15-18 minutes and then the system hangs.
I'm assuming it's some type of hacking attempt.
Can anyone give me some insight on what might be happening here and
better
yet how to prevent it?
Thanks,
Mike
Reviewing the logs more closely I also see brute force attempts on
sshd. I have a rule
set up in iptables to disable login attempts for 1 minute if there are
3 attempts a minute.
The logs show the same site being blocked and then trying again about
5 minutes later.
However, the system hang occurs about 7-8 minutes after the last ssh
attempt and about
a 100-200 RCODE errors later.
Any help appreciated!
Mike
Maybe you should look into denyhosts. I believe it's in the Extras
repository, and you can configure it to deny access to sshd from any IP
address that repeatedly fails logins (brute force attacks). There's also
a configuration option that allows you to block all internet services to
that IP address.
Sorry I can't help you with why your system is hanging, but if you're
not being brute force attacked, maybe your system won't hang anymore.
Hope this helps,
Justin Willmert