Menu
▾
▴
RE: [webmin-l] Server Logs Regarding Possible Attack
|
From: Neal M. <Ne...@Mo...> - 2006-01-27 04:44:37
|
Mike: No guarantee this was your problem, but I have seen something similar recently. I was experimenting with policy based routing and managed to get things hosed up. Specifically, I had traffic coming in one adapter but going out a different one. The remote side of my connections were ignoring my responses since they had the wrong IP - so the remote would attempt additional connections. This caused my number of open connections to grow rapidly, and my normally "well behaved" Linux server slowed to a crawl. It was so bad I had to even wait for keyboard echo when on the console. (Note: I believe this kind of thing could also happen if you're the target of a syn flood attack). If you suspect something like this is happening, it's easy enough to identify. Run a netstat command to get an approximate count of connections: netstat -an -A inet | wc -l run it several times and see if the number returned is growing. If it is, (and you have console access), stop the network adapters and see if the problem clears up. For me: ifdown eth0 or ifconfig eth0 down does the trick. You'd need to use the appropriate command for your system if webmin is unavailable. With the interface(s) down, run the netstat command again and see if your count is decreasing. If it is, and the system appears to become more responsive, you likely did have a problem related to the number of open connections. None of this has much to do with Webmin...and feel free to ignore me if I'm way off track! Regards, Neal Morgan=20 -----Original Message----- From: web...@li... [mailto:web...@li...] On Behalf Of MWS Sent: Thursday, January 26, 2006 8:11 PM To: web...@li... Subject: [webmin-l] Server Logs Regarding Possible Attack I had a weird situation yesterday where my server seemed to be under attack, or maybe just had a problem. At first, the ports, 10000 and 20000, would not respond. Then ssh and http both went down. Ftp stayed available. My network center eventually cleared up the issues, but told me it was up to me to figure out what went wrong. Where do I look? I looked at the logs under var/webmin/webmin.log, but don't see anything unusual. Any suggestions? Thanks, -Mike ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D= 121642 - Forwarded by the Webmin mailing list at web...@li... To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list |
