Folks, I'm posting this in the awareness that there's probably nothing to be done about it at this stage, but some forensic advice might help:
My Ubuntu Hardy (8.04) server is hosted by a crowd who cut costs by not providing remote console access or remote power control. It runs OSSEC 1.6 with the only major configuration tweak being an increase in the active response window: firewall lockouts last for 24 hours rather than five minutes because otherwise the barbarian hordes keep my load average permanently around 3 (on a single-CPU x86). Server has been up for a few weeks withou incident, no significant outages in >12 months. This morning I logged in to turn down the level of the Postfix 'multiple delivery attempts from a blacklisted IP' alert from 10 to 8. I made the change and restarted ossec. Almost immediately, the process table began to fill with 'iptables' and 'host-deny' processes, and load shot up over 100 within a few seconds. I am now completely locked out: ssh connections time out. I can ping the machine, but that's all. To my chagrin, I have used up my free support tickets for the month, so I will have to pay cash to have my server physically rebooted. I am hesitating only because I have no way of knowing if this will fix the problem. Can anyone suggest what may have just happened? I need to make sure this can't ever happen again, even if that involves removing ossec: Not even ossec can be allowed to thrash the machine so hard that ssh connectivity goes down. -- Thorne Lawler Technical Consultant Managed Services | Infrastructure Services | Server Support Unix | KAZ Group Pty Ltd 360 Elizabeth Street | Melbourne Victoria 3000 (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 [EMAIL PROTECTED] | www.kaz-group.com ------------------------------------------------------------------------ --------
