Linux Server issue - your help would be much appreciated

[octica1978]

Hello Everybody and Happy New Year !!!

As I started to get into Linux more and more I am happy to be here. I am sure that I will learn some great things from all of you. I used to work mostly on an MS platform so now I am trying to put my Linux hat on.
My first post and I am already asking for some advice...

I help out with basic system administration at a small company as they can't afford a full time person. They have a RH9 server in production running DNS(BIND), Web Server(Apache) and E-mail(Courier-IMAP).The hardware platform is an older Dell machine with a RAID 5 controller. The server was running fine for the past year since I started helping them until December 2010 when it started crashing. I checked the logs(messages, secure, auth) and I can see some DOS attack coming from some IP's in Korea. This was also happening before the crash so I always tried to provide better security by rotating system passwords, setting up tight rules on the hardware firewall ....(The server is placed in DMZ)

My problem is that I am trying to find the root cause of this crash as I am not sure if it is caused by the attack or maybe hardware failure or even some other external cause.

I even attached a small capture from the logs.

Your help would be much appreciated, any advice would be great.

Thank you.

[meton_magis]

this looks like a brute force attack. The problem in diagnosing this issue is that you have a system in 2011 running an operating system that was last updated in 2003. You have 8 years of unpatched vulnerabilities.

It is very likely that you are running into hardware issues, but I don't see it in that log, just a brute force attempt on your SSHD daemon, and network interface issues.

How is it crashing? Full system restart? Network dropping? something else?

[octica1978]

It looks like the network is dropping. A reboot for the server will get everything up and running.

I am fully aware that the OS is old and the patching is not even close to date.
That's why I am trying to put together a quote in order to upgrade both the hardware and the software.
I would like to change the RH9 to a newer distribution but I am not sure which path to take: would Fedora get the job done or should I look into buying an Enterprise Linux ???

Thank you again.

[Lazydog]

Fedora is bleeding edge and the test environment for RH. If you are looking to upgrade then I would suggest for a business using either RHRL5 or going with the free version of RH which is CentOS. CentOS is built using the SRPM's from RH.

[meton_magis]

Fedora is bleeding edge and the test environment for RH. If you are looking to upgrade then I would suggest for a business using either RHRL5 or going with the free version of RH which is CentOS. CentOS is built using the SRPM's from RH.

I completely agree with Lazydog.

If you are not experienced enough with Linux, I would highly recomend the RHEL path. The support you pay for in the end may be worth it knowing that you have someone to call for support.

If you need to cut costs, CentOS will work, but you won't have that support, it will all fall on you to fix issues if they come up.

in function though, the 2 distributions are identical, but RHEL patches become available quicker.

[chiranjeevis]

The image shows that the attack is a bruteforce attack on the server.

By implementing the iptables, and proper ssh configuration will get out of the problem.


It is better if u stop the ssh service if u doesn't need the ssh connection (is a bad idea )

[meton_magis]

The image shows that the attack is a bruteforce attack on the server.

By implementing the iptables, and proper ssh configuration will get out of the problem.


It is better if u stop the ssh service if u doesn't need the ssh connection (is a bad idea )

I'm guessing ssh is needed since this is a server. Rarely will a box be administrated by anything but SSH, so it's highly unlikely he's able to do that. But, if you can make it so that only local addresses have access to the ssh port (iptables rule will do this,) then you can at least stop outsiders from tying to brute force it.

However, I don't think a brute force would cause your network to crash. My home server has brute force attempts all the time, I just don't do anything about it because I disabled password authentication, and only keypairs can be used to login. My network has never crashed like that.

You can try to impliment an iptables rule to drop packets to port 22 from all IPs NOT on your network, maybe it will fix it, who knows.

[sarmed]

Here's a code I stumbled upon to block brute force attacks using IPTABLES...not entirely sure how it works

I think you should place it as above as possible in your iptables. Of course, you need to tune it up based on your system

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DROP

this is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drop the traffic.

[meton_magis]

the -m sshbrute enables a module 'sshbrute'. it MAY be an nonstandard module, that will not work without additional software being installed. I don't know iptables THAT well, so it could be a builtin module, you'll have to test to make sure.

[Lazydog]

Another option is to just move the SSH port off of 22 to another high range port number. This is usually the easiest and stops ~99% of BF attacks on ssh.

EDIT: That sshbrute module is not on my system so those rules don't work.