Perhaps you can configure a tool such as fail2ban ... this tool will allow you to watch log files, and react by banning the IP.
Its fairly easy to configure, you write a regex to filter the log on ... which when triggered a set number of times, it calls an action. You then configure that action to ban using iptables (or something else if you want). If you are running a debian-based system there are tons of preconfigured rules which you can simply copy one and tweak it. I don't know about the stock install, as I'm too lazy to check. It generally is fast enough to catch DDOS attacks in progress, adding the firewall ban. But its up to you to figure out what you can base the ban on. :) - Brian Stolz On Sun, Nov 15, 2009 at 10:03 AM, Joseph Laws <[email protected]> wrote: > No, they don't connect. Those are all private servers, btw > (passworded). They are scanning rcon ports and sending strings of junk > at them to flood them out. The rcon ports must listen to all queries > whether they are authenticated or not...resulting in them being DOS'd > after enough queries. > > Ronny Schedel wrote: >> Did someone connects with this IP to the server? It seems he has to connect >> to crash it. >> >> >> >>> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.10:0 >>> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.5:0 >>> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.2:0 >>> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.8:0 >>> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.6:0 >>> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.14:0 >>> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.3:0 >>> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.9:0 >>> srcds_amd[17263]: segfault at 00000010 eip 4d7826ea esp bff3dfec error 4 >>> srcds_amd[18560]: segfault at 0000000e eip 4d7826ea esp bfa3d2ec error 4 >>> srcds_amd[22341]: segfault at 0000000e eip 4d7826ea esp bfdeee9c error 4 >>> >>> >>> I see tons of this on all of my systems that have CS:S on them, not >>> always the same IP. I'm resorting to non-default ports since they are >>> just scanning IP ranges for 27015. >>> >>> Ronny Schedel wrote: >>> >>>> Please don't tell me this is a well known exploit. Sorry, but I don't see >>>> malformed packets in the syslog related to this. >>>> >>>> >>>> >>>> >>>>> Check the DMESG. You should see a bunch of malformed packets or UDP >>>>> checksum errors. That's what I see when that stuff happens. It >>>>> sometimes takes quite a few malformed packets/checksum errors before the >>>>> server segfaults. >>>>> >>>>> Ronny Schedel wrote: >>>>> >>>>> >>>>>> Hello, >>>>>> >>>>>> there is a new spam and crash exploit out there, we have seen it today >>>>>> on >>>>>> our CS:S server. What happend? A player connected and was able to send >>>>>> some >>>>>> spam messages which looked like they came from the server console, the >>>>>> players name is "h 4 x" in the following log. It seems the messages >>>>>> where >>>>>> spammed during the connection, so I suppose he used a proxy to send >>>>>> malformed packets during connection. After his spam, he connected again >>>>>> and >>>>>> crashed the server. >>>>>> >>>>>> Here the console spam: >>>>>> >>>>>> L 11/15/2009 - 17:22:38: "h 4 x<552><STEAM_ID_PENDING><>" connected, >>>>>> address >>>>>> "87.122.42.104:27005" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >>>>>> dieses Script kaufen?" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >>>>>> ruhsi643 in Steam" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >>>>>> dieses Script kaufen?" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >>>>>> ruhsi643 in Steam" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >>>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>>>> dieses Script kaufen?" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>>>> ruhsi643 in Steam" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "h 4 x<552><STEAM_0:0:17742854><>" STEAM >>>>>> USERID >>>>>> validated >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>>>> dieses Script kaufen?" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>>>> ruhsi643 in Steam" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>>>> dieses Script kaufen?" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>>>> ruhsi643 in Steam" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>>>> dieses Script kaufen?" >>>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>>>> ruhsi643 in Steam" >>>>>> L 11/15/2009 - 17:22:40: "h 4 x<552><STEAM_0:0:17742854><>" >>>>>> disconnected >>>>>> (reason "Disconnect by user.") >>>>>> >>>>>> The last log line is: >>>>>> >>>>>> L 11/15/2009 - 17:27:00: "CRASHED BY ruhsi643 ADDET >>>>>> ruhsi<557><STEAM_ID_PENDING><>" connected, address >>>>>> "87.122.42.104:27005" >>>>>> >>>>>> After this line, the server crashed. This is the last line, because we >>>>>> run >>>>>> our server with logflush. >>>>>> >>>>>> Best regards >>>>>> >>>>>> Ronny Schedel >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>> please visit: >>>>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>>>>> >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>>> >>>> >>>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
