I don't have any answers for you there. But I will make one suggestion to you. You should make sure you have out of band access to a server like this in a situation such as yours. Decent servers have lights ouit, management, or system console cards with a network stack on them. If you had this access, you could obtain console on the host, or even physically reset the host. If your hosting provider can not provide you with this type of access, then I would look around for another provider.
Haz On 9/30/08, Lawler, Thorne <[EMAIL PROTECTED]> wrote: > > Folks, > > I'm posting this in the awareness that there's probably nothing to be > done about it at this stage, but some forensic advice might help: > > My Ubuntu Hardy (8.04) server is hosted by a crowd who cut costs by not > providing remote console access or remote power control. It runs OSSEC > 1.6 with the only major configuration tweak being an increase in the > active response window: firewall lockouts last for 24 hours rather than > five minutes because otherwise the barbarian hordes keep my load average > permanently around 3 (on a single-CPU x86). Server has been up for a few > weeks withou incident, no significant outages in >12 months. > > This morning I logged in to turn down the level of the Postfix 'multiple > delivery attempts from a blacklisted IP' alert from 10 to 8. I made the > change and restarted ossec. > > Almost immediately, the process table began to fill with 'iptables' and > 'host-deny' processes, and load shot up over 100 within a few seconds. > > I am now completely locked out: ssh connections time out. I can ping the > machine, but that's all. > > To my chagrin, I have used up my free support tickets for the month, so > I will have to pay cash to have my server physically rebooted. I am > hesitating only because I have no way of knowing if this will fix the > problem. > > Can anyone suggest what may have just happened? I need to make sure this > can't ever happen again, even if that involves removing ossec: Not even > ossec can be allowed to thrash the machine so hard that ssh connectivity > goes down. > > -- > Thorne Lawler > Technical Consultant > Managed Services | Infrastructure Services | Server Support Unix | KAZ > Group Pty Ltd > 360 Elizabeth Street | Melbourne Victoria 3000 > (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 > [EMAIL PROTECTED] | www.kaz-group.com > ------------------------------------------------------------------------ > -------- > > -- Sent from Gmail for mobile | mobile.google.com
