aprsd

Put this in your /etc/rc.d/rc.local file:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
It won't fix the 'upstream' flood, but it'll help minimize the 'load' on your machine.

http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap5sec56.html
has more info (Great resource!)

****

Next, I'd upgrade to 7.2 and setup iptables/netfilter. You can do rate limits there, nice...

http://www.linuxguruz.org/iptables/
Has more links to iptables/netfilter info than anyone person could hope to use. One of the best to start with is: 
http://netfilter.samba.org/documentation/indes.html

****

Here's another 'helper':
Another mitigation against SYN flooding is increasing the value of 
 /proc/sys/net/ipv4/tcp_max_syn_backlog. On 2.2 kernels, I believe the value 
 defaults to 128, and on 2.4 kernels I believe the default is 1024. If your 
 init scripts invoke sysctl during boot (like Red Hat), put this in 
 /etc/sysctl.conf: 

 # Reduce SYN Floods 
 net.ipv4.tcp_max_syn_backlog=4096 

 Replace "4096" with whatever you are comfortable with. 
          
 Or from the command line: 

 # echo 4096 >/proc/sys/net/ipv4/tcp_max_syn_backlog 

From: http://www.der-keiler.de/Mailing-Lists/securityfocus/focus-linux/2002-02/0001.html

(NOTE: Mmm, bet you can add net.ipv4.tcp_syncookies=1 to sysctl.conf instead of rc.local as well)

****

And yes, aprsd 2.2.3 (CVS from 2 days ago) runs mostly fine on RH 7.2 - I don't seem to be able to view the HTML status page. Other than that, all seems fine.

Are you using kernel level AX.25 services with aprsd or linux authentication? If so, then yea - I think it does have to be run as root. If not, then no - just chmod o+rw /dev/ttyS0 (or whatever serial port your TNC is on, if you have one...) and run aprsd as any other user.

I think the dependancy on being root for AX.25 is changing or has changed, but I've not kept track of where that stands.

73

n2lbt wrote:
> 
> I've been running an aprsd machine for almost 2 years. The fun is comming to
> an end I believe. Whether is just script kiddies or the real deal, I believe
> I'm the target of some type of attack. I've been getting hundreds of
> SYN_RECV on port 80. I've had to shut down httpd, but I am fearful that it's
> just a symptom of the problem, not the culprit. It's tying up my dsl line
> and taking up cpu time. I've been running AE5PL's javAPRS and some other
> basic boring web pages.
> 
> I run
> sendmail-8.9.3-15
> ftp-0.15-1
> apache-1.3.9-4
> 
> I've had trouble finding RPMs for RH6.1 to bring these things up to date.
> I've been checking rpmfind.net and the versions I see listed for 6.1 show
> similar versions to what I have installed. Is 6.1 dead at this point, should
> I give up and go to RH 6.2 or 7.2 or something else? Will aprsd run on 7.2?
> 
> Another thing I noticed, should aprsd be running as root in my "ps -auxw"
> listing?
> 
> Someone recently told me that 6.1 would be hacked sooner or later. It looks
> it is sooner.
> 
-- 

               /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
               |       CARC Repeater 146.940     DN62         |
               |    http://groups.yahoo.com/group/RM-APRS     |
               |    "The Dungeon" at http://go.to/KC7ZRU      |
               | AIM - kc7zru  BBS http://216.67.168.20/carc/ |
               ++++++++++++++++++++++++++++++++++++++++++++++++

Thanks, I'll look into the articles you sent.

> ****
> 
> And yes, aprsd 2.2.3 (CVS from 2 days ago) runs mostly fine on RH 7.2 - I
> don't seem to be able to view the HTML status page. Other than that, all seems
> fine.

I will consider that as an option. I like the status page, but I think I can
figure out what is going on with netstat, showing the streams on the aprsd
ports. I'm getting more comfortable than I would like looking at the frickin
netstat -a page :(

> 
> Are you using kernel level AX.25 services with aprsd or linux authentication?
> If so, then yea - I think it does have to be run as root. If not, then no -
> just chmod o+rw /dev/ttyS0 (or whatever serial port your TNC is on, if you
> have one...) and run aprsd as any other user.

I'm using the original serial configuration. I was hoping to use ax.25
someday, as we have a 2m-1200baud and a 70cm-9600 baud network I would like
to offer aprsd services for.


> 
> I think the dependancy on being root for AX.25 is changing or has changed, but
> I've not kept track of where that stands.

I'll try to watch this progress in the background. AX.25 adds a level of
complexity I'm not necessarily looking forward to, but would like to learn.

> 
> 73

Thanks for the help.

Dennis

on 3/21/02 13:06, KC7ZRU - Tate at kc7zru@... wrote:

> Put this in your /etc/rc.d/rc.local file:
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> It won't fix the 'upstream' flood, but it'll help minimize the 'load' on your
> machine.
> 

Ok, I've done this, and did a /etc/rc.d/init.d/network restart

It looks like either the script kiddie's program only allows 8 connections,
or some configuration tool is doing it. But the SYN_REQUESTS are only living
for a few seconds. As soon as one dies, I get another. If I can keep the
total number of connects down, I should be okay.

While monitoring this, I noticed that there are 18 aprsd processes listed.
2 appear to be doing something
418 root      18 -10 16004  15M   608 R <     0 15.3 12.3 262:28 aprsd
441 root      16   0 16004  15M   608 S       0  7.3 12.3 110:21 aprsd

Then there are 16 others, each one looks like this in top just different
pid's

408 root       0   0 15996  15M   608 S       0  0.0 12.3   0:00 aprsd

Is this normal behavior to have that much resources allotted to aprsd?

Dennis, N2LBT

With four clients connected I show 17 aprsd processies with ps -ax | grep aprsd

n2lbt wrote:
> 
> 
> While monitoring this, I noticed that there are 18 aprsd processes listed.
> 2 appear to be doing something
> 418 root      18 -10 16004  15M   608 R <     0 15.3 12.3 262:28 aprsd
> 441 root      16   0 16004  15M   608 S       0  7.3 12.3 110:21 aprsd
> 
> Then there are 16 others, each one looks like this in top just different
> pid's
> 
> 408 root       0   0 15996  15M   608 S       0  0.0 12.3   0:00 aprsd
> 
> Is this normal behavior to have that much resources allotted to aprsd?
> 
> Dennis, N2LBT
> 

-- 

               /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
               |       CARC Repeater 146.940     DN62         |
               |    http://groups.yahoo.com/group/RM-APRS     |
               |    "The Dungeon" at http://go.to/KC7ZRU      |
               | AIM - kc7zru  BBS http://216.67.168.20/carc/ |
               ++++++++++++++++++++++++++++++++++++++++++++++++

On Thu, Mar 21, 2002 at 11:12:51AM -0500, n2lbt wrote:
> Another thing I noticed, should aprsd be running as root in my "ps -auxw"
> listing?

If you run it as root, it will stay as root.

It doesn't need root if you're using a serial TNC, as long as it can
write to its files as necessary. It does need root if you are using
the AX.25 sockets stuff in the .vk3sb versions. I intend to fix
that some time.

Hamish
-- 
Hamish Moffatt VK3SB <hamish@...> <hamish@...>