Re: fail2ban increase loadaverage to 18

To: Michelle Konzack <linux4michelle@tamay-dogan.net>
Cc: Debian ISP <debian-isp@lists.debian.org>
Subject: Re: fail2ban increase loadaverage to 18
From: Iain Grant <iain@panfantastic.co.uk>
Date: Sat, 18 Aug 2012 18:25:43 +0100
Message-id: <[🔎] CAL=9LkVxeE_UvvkoNwiQij2vFEeUyniFwCt=XBjHFiwyB5Akww@mail.gmail.com>
In-reply-to: <[🔎] 20120818161050.GV28928@work1>
References: <[🔎] 20120818161050.GV28928@work1>

Change your ssh port, and enable key login only.

Or drop the syn packets except from whitelisted IPs.

Iain

On Sat, Aug 18, 2012 at 5:10 PM, Michelle Konzack
<linux4michelle@tamay-dogan.net> wrote:
> Hello Experts,
>
> Since two days I try to use fail2ban because I had several 100000  login
> attempts on each of my servers...
>
> Now it increas to several million
>
> In clear, my WHOLE network is attcked!
>
> There are 87 Servers in question (can be reached  trough  a  public  IP)
> which had in the beginning only attacks of one <rackspace.com> IP  which
> increased for some days to 4 IPs and now, since last night my servers do
> not more respond, I have encountered, that my servers beeing attacked by
> more then 20000 IPs with arround 2-10 requsts per second.
>
> fail2ban is trying to block it, but the loadaverage increase to over 18.
>
> The other problem is, that I use a remote syslog daemon and this  server
> had for 2 hours a loadaverage of >37 and I had to  shutdown  the  server
> and used the RSA to clean up the system.  It was trying  to  write  more
> then 60 MByte of logs (~ 800 files at once) per second
>
> My Internet connectivity is a redunant 10 GE using a CISCO 12008.    All
> used Switches (16 in total) are 3Com 3C17701 (4924) and I try  to  block
> some traffic at the switches.  Works  nice,  but  require  heavy  manual
> intervention..
>
> How do you handel such attacks?
>
> Note:  Rackspace has not respond to any of my requestes I have tried to
>        reach them by telephone, but they pick not up.    (is is not the
>        first time, that servers from <rackspace.com> attack my network)
>
> Thanks, Greetings and nice Day/Evening
>     Michelle Konzack
>
> --
> ##################### Debian GNU/Linux Consultant ######################
>    Development of Intranet and Embedded Systems with Debian GNU/Linux
>                Internet Service Provider, Cloud Computing
>                 <http://www.itsystems.tamay-dogan.net/>
>                   <http://www.debian.tamay-dogan.net/>
>
> itsystems@tdnet                     Jabber  linux4michelle@jabber.ccc.de
> Owner Michelle Konzack
>
> Gewerbe Strasse 3                   Tel office: +49-176-86004575
> 77694 Kehl                          Tel mobil:  +49-177-9351947
> Germany                             Tel mobil:  +33-6-61925193  (France)
>
> USt-ID:  DE 278 049 239
>
> Linux-User #280138 with the Linux Counter, http://counter.li.org/

Reply to:

Follow-Ups:
- Re: fail2ban increase loadaverage to 18
  - From: Michelle Konzack <linux4michelle@tamay-dogan.net>

References:
- fail2ban increase loadaverage to 18
  - From: Michelle Konzack <linux4michelle@tamay-dogan.net>

Prev by Date: fail2ban increase loadaverage to 18
Next by Date: Re: fail2ban increase loadaverage to 18
Previous by thread: fail2ban increase loadaverage to 18
Next by thread: Re: fail2ban increase loadaverage to 18
Index(es):
- Date
- Thread