I'm having some problems on my new Raq4.
I installed portsentry, logsentry and ipchains the way i did on two other raqs (in a different network).

Sometimes, suddenly i cannot connect to my site. It takes forever to load, FTP is not possible (blocking call received) and logging in with SSH takes 4 minutes.

I have no idea if these things are connected but these are the things i noticed, maybe some wizz here can solve this:

syslogd gives me a avarage 15min cpu load of 0.33 (on a empty raq with 512mb)

The problem is solved when i flush the rules from ipchains.

And i get this message:

[QUOTE]
eb 16 13:35:29 mydomain portsentry[3269]: attackalert: TCP SYN/Normal scan from host: mydomain.nl/xx.xx.xxx.xxx to TCP port: 53
Feb 16 13:35:29 mydomain portsentry[3269]: attackalert: Host xx.xx.xxx.xxx has been blocked via wrappers with string: "ALL: xx.xx.xxx.xxx"
[/]QUOTE

where xx.xx.xxx.xxx is the ip from my ns1.

The strange thing is, that the problem is not always there. When i flush the rules, login, start ipchains again its solved, i can login FTP/SSH and my site is fast as ever.

On this raq i run my own DNS, on the other two with the same rules i don't...

Anyone any ideas ????

i read somewhere that i have to add all ip's used on my box to the udp rules, is this correct ?

Did you open up port 53? That is what seems to be getting blocked. It looks to me that when you are trying to ftp, the server is trying to do a reverse lookup on the IP, and when it tries to contact the nameserver, it's getting banned by portsentry.

-Dan

There's no port 53 mentioned in my rules.
How should this line look like ?

It works fine on the other two raqs without it.
I added all ip numbers on my raq like:

./ipchains -A input -i eth0 -p udp --source xxx.xxx.xxx.xx -j ACCEPT


With no result.
I guess i should change something because i use my own dns, but what ?

*** can't believe i missed that.
i guess i should add
./ipchains -A input -i eth0 -p udp --destination-port 53 -j ACCEPT

:blush:

I'm not sure why it would work on your other machines and not this one, unless there is something different. Try this before playing with the ruleset. Try turning off reverse lookups in your FTP server. Without knowing which FTP server you use, I cna't tell you how though.

-Dan

Originally posted by dutchie
*** can't believe i missed that.
i guess i should add
./ipchains -A input -i eth0 -p udp --destination-port 53 -j ACCEPT

:blush:
That'll do it :)

-Dan

So far it seems to indeed solve it, thanks for the help anyway !

it didn't solve today its back :(


123 root 19 0 528 528 428 S 0 32.6 0.1 30:37 syslogd
18173 admin 3 0 868 868 680 R 0 1.5 0.1 0:01 top
132 root 0 0 788 788 388 S 0 0.5 0.1 0:17 klogd
18026 root 0 0 1780 1780 1248 R 0 0.1 0.3 0:00 sshd
1 root 0 0 476 476 404 S 0 0.0 0.0 0:03 init
2 root 0 0 0 0 0 SW 0 0.0 0.0 0:00 kflushd
3 root 0 0 0 0 0 SW 0 0.0 0.0 0:00 kupdate
4 root 0 0 0 0 0 SW 0 0.0 0.0 0:00 kpiod
5 root 0 0 0 0 0 SW 0 0.0 0.0 0:00 kswapd
6 root -20 -20 0 0 0 SW< 0 0.0 0.0 0:00 mdrecoveryd
381 root 0 0 540 540 456 S 0 0.0 0.1 0:00 crond
3


Whats syslogd and why is it using up to 55% of my cpu ?
Once i flush my ipchains rules, it drops to 0.0

:confused: :confused: :confused:

syslog is what logs system messages and errors. It will take over your machine when something is going nuts on the machine, such as portsentry sending continuous alerts. Check the log, and see what portsentry is complaining about. Make sure that you actually excluded your own server IP's from protsentry, or else every time you do anything, you ban yourself.

-Dan

Ok i added all my ip's to portsentry.ignore.

My logfiles from portsentry gives me a lot of :
Feb 23 04:02:00 mydomain named[422]: sysquery: findns error (NXDOMAIN) on
ns2.mydns.net? Feb 23 04:02:01 mydomain named[422]: sysquery: findns error
(NXDOMAIN) on ns2.mydns.net? Feb 23 04:02:22 mydomain syslogd 1.3-3: restart.
Where mydomain is mydomain and mydns is (guess :) ) my ns2

Also a lot of:

Feb 24 03:30:00 mydomain proftpd[19464]:
www.mydomain.com (localhost[127.0.0.1]) - FTP session closed.


And a occasional:


Feb 24
03:47:18 mydomain named[422]: Cleaned cache of 8 RRsets Feb 24 03:47:18 mydomain
named[422]: USAGE 1014518838 1014146895 CPU=1.51u/0.78s CHILDCPU=0u/0s Feb
24 03:47:18 mydomain named[422]: NSTATS 1014518838 1014146895 A=841 SOA=26
PTR=4758 MX=39 TXT=2 AAAA=37 38=71 AXFR=26 ANY=101 Feb 24 03:47:18 mydomain
named[422]: XSTATS 1014518838 1014146895 RR=1163 RNXD=46 RFwdR=750 RDupR=0
RFail=6 RFErr=0 RErr=0 RAXFR=26 RLame=11 ROpts=0 SSysQ=1128 SAns=2583
SFwdQ=3209 SDupQ=47322 SErr=0 RQ=5989 RIQ=2 RFwdQ=3209 RDupQ=621 RTCP=51
SFwdR=750 SFail=0 SFErr=0 SNaAns=1455 SNXD=518 RUQ=0 RURQ=0 RUXFR=0

:uhh::erm::eek4:

this all under the header "Unusual System Events".

I hope someone can make something out of it...