Our server is cobalt raq4r. We have installed *snort* at the server .. But
today suddenly load started to increase and we found too many *httpd* processes
are running. Load went to too high. Finally we could able to stop the httpd.
Then we stopped the *snort*.. Load came down and luckily we could able to save
the server to crash...
We found in the *snort* log file the following messages.. It is an attempt
of /WORM PROPATATION/ . How could we save our server , we did not keep the
1434/1433 ports opened in our server. Basically we are not using these ports at
all..
Could anyone suggest that how could we start snort - so that for snort
the system does not get effected due to load etc... But what we feel that due
to the too much traffic the load went too high. Do you think as snort was
detecting the messages - due to that reason load went
high?
I don't know if snort was the problem or not. I use ipchains on my RaQ 4r to block/log all 1433/1434 attempts even though they won't affect my server. If you don't have ipchains installed, there's a PKG at http://www.cobaltfaqs.com/ in the "RaQ 3 and RaQ 4 downloads" section.
My ipchains rules live in /etc/rc.d/init.d/firewall (remember to set the file executable with "chmod +x"), and is symlinked to /etc/rc.d/rc3.d/S01firewall to autostart the "firewall" with each server boot. By using S01firewall as the name, it's set to be first in the boot sequence to ensure packet blocking happens as soon as possible.
The top of my ipchains file (with relevant rules for your issue) is: ### START OF FILE ### # IP Fragmentation Protection echo 1 > /proc/sys/net/ipv4/ip_always_defrag # IP Bogus Error Response Protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Set a variable for where this lives. Easier to change # in the future if needed... IPCHAINS=/sbin/ipchains # First we'll flush the chains $IPCHAINS -F input # Allow everything outbound. Some may disagree with this... $IPCHAINS -A output -i eth0 -s 0/0 -d 0/0 -j ACCEPT # Allow everything in and out on localhost $IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT # Deny spoofed networks from the outside world $IPCHAINS -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j DENY $IPCHAINS -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j DENY $IPCHAINS -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j DENY $IPCHAINS -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j DENY # Allow the server's own IP addresses # List each IP assigned to the RaQ, one per line, here $IPCHAINS -A input -i eth0 -s xxx.xxx.xxx.xxx -j ACCEPT $IPCHAINS -A input -i eth0 -s xxx.xxx.xxx.xxx -j ACCEPT # Then start adding the IPs and ports to block # -A <chain> add this rule to chain <chain> # -i <ethx> enforce rule on interface <ethx> # -s ip.ad.re.ss source IP address # -p [tcp|udp] type of packets # # ! x anything but port x # x:y from port x to port Y # # -l log any action # -j <action> jump to action # TFTP $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 69 -p tcp -l -j DENY $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 69 -p udp -l -j DENY # MSSQL worm $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 1433:1434 -p udp -l -j DENY $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 1433:1434 -p tcp -l -j DENY # NetBIOS $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 137:139 -p tcp -j DENY $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 137:139 -p udp -j DENY # RPC "worm" (CERT 2003-19) $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 135 -p tcp -j DENY $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 135 -p udp -j DENY $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 445 -p tcp -j DENY $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 445 -p udp -j DENY $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 4444 -p tcp -l -j DENYipchains output (anything with a "-l" switch creates a log entry) is in /var/log/kernel.