[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fail2ban increase loadaverage to 18

It is necessary to limit the number of connections to sshwithiptables, for example:
/sbin/iptables -p tcp -syn -dport 22-m connlimit -connlimit-above 3 -j DROP

18.08.2012 19:10, Michelle Konzack пишет:
Hello Experts,

Since two days I try to use fail2ban because I had several 100000  login
attempts on each of my servers...

Now it increas to several million

In clear, my WHOLE network is attcked!

There are 87 Servers in question (can be reached  trough  a  public  IP)
which had in the beginning only attacks of one <rackspace.com> IP  which
increased for some days to 4 IPs and now, since last night my servers do
not more respond, I have encountered, that my servers beeing attacked by
more then 20000 IPs with arround 2-10 requsts per second.

fail2ban is trying to block it, but the loadaverage increase to over 18.

The other problem is, that I use a remote syslog daemon and this  server
had for 2 hours a loadaverage of >37 and I had to  shutdown  the  server
and used the RSA to clean up the system.  It was trying  to  write  more
then 60 MByte of logs (~ 800 files at once) per second

My Internet connectivity is a redunant 10 GE using a CISCO 12008.    All
used Switches (16 in total) are 3Com 3C17701 (4924) and I try  to  block
some traffic at the switches.  Works  nice,  but  require  heavy  manual

How do you handel such attacks?

Note:  Rackspace has not respond to any of my requestes I have tried to
        reach them by telephone, but they pick not up.    (is is not the
        first time, that servers from <rackspace.com> attack my network)

Thanks, Greetings and nice Day/Evening
     Michelle Konzack

Reply to: