Hi Ernesto, > I own a Cobalt RaQ4 (as well as a RaQ3, and this problem applies to > both) with near 150 customers in it, a few weeks ago the server suddenly > stopped responding, first once a day, but now it's a nightmare.. > sometimes it stays for days ok, then some day.. we start receiving > SYN_RECV packets and the server dies.
SYN-Floods are pretty difficult to tackle with as you have already found out. Although having an ipchains based firewall *on* the same server is better than having nothing, in this case you're not getting around to set up an external Firewall which protects your server. For more info see: http://www.usenix.org/events/sec01/invitedtalks/oliver.pdf IPchains on the RaQs has its limitations due to the outdated Kernel. Additionally, the load of the SYN-Flood still puts a burden on the server you want to protect, especially if the Firewall and the Webserver are hardwarewise on the same box. So you have to get a separate Firewall up and running which you put in front of your RaQ(s) - and you need one which can specifically deal with SYN-Flooding. This can be either a hardware firewall, or a Linux distribution custom tailored for Firewall purposes. Like SmoothWall, SonicWall, OpenWall ... to name a few. The quick and dirty solution how I'd do it: Hook up a PC with two network cards and install Linux on it. Any distri you feel familliar with should do fine. Just make sure to apply all vendor patches right away and disable all non essential services. In fact you can do away with all network related services but SSH. Then fetch gShield V2.8 from http://linuxmafia.org/~godot/ and install it on the box. It's an IPtables based firewall and *very* easy to configure. Configure it for NAT and bind all IPs from your RaQ to the Linux box and NAT 'em to the RaQ. Benefits: Cost effective, 2.4-series Kernel, IPtables, easy to configure but effective Firewall. Downside: You'll need at least 2-3 hours to get it up and running and it's not a trivial task unless you know your way around Linux. Configuring for NAT will more or less force you to change the IPs on your RaQ(s), too, which is a pain for 20 IPs. -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
