LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

February 2020

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL February 2020

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: hosts.deny
From:	"Kraus, Dave (GE Healthcare)" <[log in to unmask]>
Reply To:	Kraus, Dave (GE Healthcare)
Date:	Mon, 24 Feb 2020 17:17:14 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (1 lines)

And, I should have read the whole thread so I could see that Andrew already suggested this. Mea culpa. Silly Outlook and it's threading...



So, ultimately, +1 for faill2ban.



On 2/24/20, 11:11 AM, "[log in to unmask] on behalf of Kraus, Dave (GE Healthcare)" <[log in to unmask] on behalf of [log in to unmask]> wrote:



    Offhand, have you looked at the "fail2ban" package to do this instead?

    

    I see that 7.7 has a fail2ban-mail package that might help on your front, at least with a casual search.

    

    Just a thought.

    

     -Dave

    

    On 2/24/20, 6:06 AM, "[log in to unmask] on behalf of tech" <[log in to unmask] on behalf of [log in to unmask]> wrote:

    

        As this is a "system component" feature,  I hope this is the right list

        

        Scientific Linux 7.7, with latest update.

        

        If there are more than 255 IP addresses associated with a service in 

        /etc/hosts.deny,  then when any service which calls tcp_wrappers is 

        invoked,  the process hangs, eventually taking 100%CPU.

        Any new request to tcp wrappers invokes another process which likewise 

        eventually reaches 100% CPU.   Effectively initiating an unintended  DoS

        

        I run exim as my MTA

        

        I run a script which looks for certain messages

        

        > 	"no host name found for IP address"

        > 	"rejected after DATA"

        > 	"refused: too many connections"

        

        in the /var/log/exim/   mainlog, rejectlog and paniclogs

        which indicate invalid connections to the server, and then places the 

        Class C  IP address of these in hosts.deny, against exim

        

        extract below from hosts.deny

        

        > exim: 1.215.,103.141.,103.16.,103.20.,103.230.,103.233.\

        > ,103.69.,103.74.,103.76.,109.100.,109.224.\

        > ,109.61.,109.72.,112.78.,114.199.,115.75.\

        > ,117.103.,121.65.,122.228.,123.143.,125.138.\

        

        In the past two weeks, the number of "exim reject messages" has 

        increased such that the number of IP addresses  associated with exim in 

        hosts.deny reached  256, with the result,  as explained above,  that 

        each connection to the email server started a new instance of exim, 

        which never completed,  and eventually grabbed 100% CPU.

        

        The logs are rotated every week and the list of IPs is refreshed.

        

        The prevalence of hacking is on the increase, so to get greater than 255 

        instances in a week is not becoming uncommon.

        

        Could the code be updated to allow more than 255/256 instances.

        (255/256 are common computing numbers!!)

        

        Thank you

        

        Me

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV