Squeak.org under attack?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Squeak.org under attack?

Göran Krampe
Howdy folks!

I noticed squeak.org is having issues. It almost seems to be under some
attack on port 80 - dmsg reports ("Treason uncloaked!" yaddayadda) and
apache2 seems to bog down as soon as I restart it. SqueakMap is for
example available just fine directly at port 9091.

Not sure what to do and I need to work.

regards, Göran


Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Michael Rueger-4
Göran Krampe wrote:
> Howdy folks!
>
> I noticed squeak.org is having issues. It almost seems to be under some
> attack on port 80 - dmsg reports ("Treason uncloaked!" yaddayadda) and
> apache2 seems to bog down as soon as I restart it. SqueakMap is for
> example available just fine directly at port 9091.

http://linux.derkeiler.com/Mailing-Lists/Kernel/2006-03/msg03750.html
http://kerneltrap.org/node/7182

Which kernel is running on squeak.org?

Michael

Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Göran Krampe
Hi!

> Göran Krampe wrote:
>> Howdy folks!
>>
>> I noticed squeak.org is having issues. It almost seems to be under some
>> attack on port 80 - dmsg reports ("Treason uncloaked!" yaddayadda) and
>> apache2 seems to bog down as soon as I restart it. SqueakMap is for
>> example available just fine directly at port 9091.
>
> http://linux.derkeiler.com/Mailing-Lists/Kernel/2006-03/msg03750.html
> http://kerneltrap.org/node/7182
>
> Which kernel is running on squeak.org?

Interesting indeed. squeak.org still runs sarge and uname -a gives:

Linux box2.squeakfoundation.org 2.6.8-2-k7 #1 Tue Aug 16 14:00:15 UTC 2005
i686 GNU/Linux

...and I don't think there are newer kernels for sarge in the vanilla repos.

I wonder how this could "pop up" like this. It also is odd - if I restart
apache2 it only takes 2-3 seconds for MaxClients to be reached!

And I also noticed tons of connections to the pier image running there on
port 7779 (serving www.squeak.org AFAICT). Even when apache is stopped?
How come?

regards, Göran


Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Göran Krampe
Ok, my suspicion here is that we have barfed one of the reverse proxies
somehow making an open relay - or at least making it look like a possible
open relay. Not sure yet.

regards, Göran


Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Göran Krampe
Hmmm.
netstat -pa shows tons of:

tcp6       0  18876 box2.squeakfoundati:www ::ffff:222.132.18:62895
ESTABLISHED12301/apache2
tcp6       0  18876 box2.squeakfoundati:www ::ffff:222.132.18:62894
ESTABLISHED12301/apache2


...it fills up MaxClients when started in 3 seconds. I restarted the
wwwtest squeak image (which was on port 7779) and had apache down. This
eventually cleaned up sockets so netstat looked clean. But when restarting
apache the above still happens. Who is that and what do we do to block?

regards, Göran


Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Göran Krampe
Ok, giving up now - gotta work.

I documented what I did in "Log" - there is a DROP rule on a specific ip
in effect now. It seemed to originate from China. We should probably
install some kind of firewall script approach.

regards, Göran


Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Cees De Groot
In reply to this post by Göran Krampe
I'm between meetings, but setting an ipchains input filter should do
the trick. However, I don't know how to work with IPV6 addresses in
ipchains... someone can RTFM?

On 5/4/07, Göran Krampe <[hidden email]> wrote:

> Hmmm.
> netstat -pa shows tons of:
>
> tcp6       0  18876 box2.squeakfoundati:www ::ffff:222.132.18:62895
> ESTABLISHED12301/apache2
> tcp6       0  18876 box2.squeakfoundati:www ::ffff:222.132.18:62894
> ESTABLISHED12301/apache2
>
>
> ...it fills up MaxClients when started in 3 seconds. I restarted the
> wwwtest squeak image (which was on port 7779) and had apache down. This
> eventually cleaned up sockets so netstat looked clean. But when restarting
> apache the above still happens. Who is that and what do we do to block?
>
> regards, Göran
>
>
>


--
"Human beings make life so interesting. Do you know, that in a
universe so full of wonders, they have managed to invent boredom. " -
Death, in "The Hogfather"

Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Cees De Groot
In reply to this post by Göran Krampe
I have resorted at times to blocking the whole of China so this sounds
like a sensible solution :)

On 5/4/07, Göran Krampe <[hidden email]> wrote:

> Ok, giving up now - gotta work.
>
> I documented what I did in "Log" - there is a DROP rule on a specific ip
> in effect now. It seemed to originate from China. We should probably
> install some kind of firewall script approach.
>
> regards, Göran
>
>
>


--
"Human beings make life so interesting. Do you know, that in a
universe so full of wonders, they have managed to invent boredom. " -
Death, in "The Hogfather"

Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Lukas Renggli
> I have resorted at times to blocking the whole of China so this sounds
> like a sensible solution :)
>
> On 5/4/07, Göran Krampe <[hidden email]> wrote:
> > Ok, giving up now - gotta work.
> >
> > I documented what I did in "Log" - there is a DROP rule on a specific ip
> > in effect now. It seemed to originate from China. We should probably
> > install some kind of firewall script approach.

I would close all ports except 22 (ssh) and 80 (http) from the
outside. Furthermore you have to make sure that "ProxyRequests Off" is
set somewhere in the apache config else it is very likely to become an
open proxy relay.

Cheers,
Lukas

--
Lukas Renggli
http://www.lukas-renggli.ch

Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Göran Krampe
Hi!

> I would close all ports except 22 (ssh) and 80 (http) from the
> outside.

Yes, but this was on port 80 so that wouldn't have helped.

> Furthermore you have to make sure that "ProxyRequests Off" is
> set somewhere in the apache config else it is very likely to become an
> open proxy relay.

I am curious about that. It should have default value "Off" right? One of
the VHs had ProxyPreserveHost On and... well, I am not sure but just for
"good measure" I threw in a "ProxyRequests Off" in that site.

At least none of the sites or .conf files set it to On (common n00b mistake).

regards, Göran



Reply | Threaded
Open this post in threaded view
|

Re: Squeak.org under attack?

Lukas Renggli
> > Furthermore you have to make sure that "ProxyRequests Off" is
> > set somewhere in the apache config else it is very likely to become an
> > open proxy relay.
>
> I am curious about that. It should have default value "Off" right? One of
> the VHs had ProxyPreserveHost On and... well, I am not sure but just for
> "good measure" I threw in a "ProxyRequests Off" in that site.

ProxyRequests should be always off.

ProxyPreserveHost is an entirely different thing. It helps Seaside and
other web frameworks to detect the original host name the request was
sent to, what is required to create full absolute paths.

Cheers,
Lukas

--
Lukas Renggli
http://www.lukas-renggli.ch