> Hi there, > > I own a Cobalt RaQ4 (as well as a RaQ3, and this problem applies to > both) with near 150 customers in it, a few weeks ago the server suddenly > stopped responding, first once a day, but now it's a nightmare.. > sometimes it stays for days ok, then some day.. we start receiving > SYN_RECV packets and the server dies. > > Changed from raq3 to raq4 and today the history repeated again. > > I've used tcp_syn_cookies, I have tried lots of ipchains firewalls, and > nothing seems to help. Oh, adnd yes, I've installed until the latest > patch. The last thing I did was to create a script I run every 2 minutes > and detects SYN_RECV connections, if more than 15 are detected, then > those IPs are banned (ipchains) it has somehow stopped attacks, but it's > not perfect... somehow the bastard do the nasty in those 2 minutes and > kill my server. > > Reading in the internet I found that it's a problem affecting old 2.2.x > kernels (x<17 I think).. if you use a firewall and also set > tcp_syncookies to 1 somehow you are in danger. My concern is that I can > NOT wait any longer for cobalt to release a new kernel, I've waited like > 2 months and no new updates regarding kernels. Is there ANY workaround I > can do in order to avoid syn attacks? My clients are very upset with me > because of the constant failures and I have no life.. saturday night, > sundays early in the morning, friday afternoon, at any time my system > has to be rebooted... > > Please, help. > > Ernesto
Ernesto, we have a couple of RaQ3's and have been having similar problems with the systems going down intermittently. One server in particular is being used to power a single somewhat high-profile website and recently for about a week straight it was going down every day. We scoured the logfiles and did find unusual activity but nothing that explained the crashes. We noticed a lot of unauthorized attempts at accessing the admin server and we applied some firewall rules to port 81, the system hasn't crashed since. Sorry I can't give a more technical explanation, we aren't even sure if we fixed the issue with the new rules or if we're just lucky. -Brad _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
