thr3ads.net - CentOS - [CentOS] Crashing Nameservers [Dec 2005]

If this information is useful, please help other people find it:
Share via:

John Hinton

2005-Dec-30 23:39 UTC

[CentOS] Crashing Nameservers

Had two nameservers crash in the last few hours... This 'never' happens!
On the console was

sent an invalid ICMP type 3, code 3 error to a broadcast: 
255.255.255.255 on eth0

sent an invalid ICMP type 3, code 3 error to a broadcast: 
255.255.254.255 on eth0

with the IP address of the offender? in front of that line. Any ideas?

Best,
John Hinton

John Hinton

2005-Dec-30 23:52 UTC

head link

[CentOS] Crashing Nameservers

John Hinton wrote:
> Had two nameservers crash in the last few hours... This 'never' 
> happens! On the console was
>
> sent an invalid ICMP type 3, code 3 error to a broadcast: 
> 255.255.255.255 on eth0
>
> sent an invalid ICMP type 3, code 3 error to a broadcast: 
> 255.255.254.255 on eth0
>
> with the IP address of the offender? in front of that line. Any ideas?
>
> Best,
> John Hinton
And a bit more info.

Seems that maybe it just happened to be nameservers. Found this in the 
logs repeated over and over for thousands of lines.

Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown
Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215
Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown
Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: authentication 
failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215

Seems I'm experiencing a DoS against vsftp login. Anybody got a good way 
to limit the number of failed login attempts by one IP address?

Thanks,
John Hinton

Possibly Parallel Threads

Search for more apparently analagous threads

CentOS - Dec 2005 - Crashing Nameservers

[CentOS] Crashing Nameservers

[CentOS] Crashing Nameservers

Possibly Parallel Threads