Re: fail2ban increase loadaverage to 18
It is necessary to limit the number of connections to sshwithiptables,
/sbin/iptables -p tcp -syn -dport 22-m connlimit -connlimit-above 3 -j DROP
18.08.2012 19:10, Michelle Konzack пишет:
Since two days I try to use fail2ban because I had several 100000 login
attempts on each of my servers...
Now it increas to several million
In clear, my WHOLE network is attcked!
There are 87 Servers in question (can be reached trough a public IP)
which had in the beginning only attacks of one <rackspace.com> IP which
increased for some days to 4 IPs and now, since last night my servers do
not more respond, I have encountered, that my servers beeing attacked by
more then 20000 IPs with arround 2-10 requsts per second.
fail2ban is trying to block it, but the loadaverage increase to over 18.
The other problem is, that I use a remote syslog daemon and this server
had for 2 hours a loadaverage of >37 and I had to shutdown the server
and used the RSA to clean up the system. It was trying to write more
then 60 MByte of logs (~ 800 files at once) per second
My Internet connectivity is a redunant 10 GE using a CISCO 12008. All
used Switches (16 in total) are 3Com 3C17701 (4924) and I try to block
some traffic at the switches. Works nice, but require heavy manual
How do you handel such attacks?
Note: Rackspace has not respond to any of my requestes I have tried to
reach them by telephone, but they pick not up. (is is not the
first time, that servers from <rackspace.com> attack my network)
Thanks, Greetings and nice Day/Evening