[nos-bbs] Jnos memory leak with forwarding

Gustavo Ponza g.ponza at tin.it
Thu Oct 19 17:24:43 EDT 2017 

Michael and all,

for what concerning the JNOS the problem is subtle, namely
do not appear as the regular telnet connect, and so for me
is almost impossible to register what really happens.
I can register the traffic on 5 min basis and not more.

I never used the fail2ban... but I think it go maid since
when you block an IP/Hostname the attacker switch to an
other identity.

On 10/19/2017 07:38 PM, Michael Fox - N6MEF wrote:
> Gus,
>
> You didn't say what type of "attack".  But if it's login attempts, then a useful tool is fail2ban.  You configure fail2ban to watch nos.log for failed logins (or any other condition for which you write a regex to match) and then ban the offending IP address.  When the match occurs a sufficient number of times, fail2ban writes a rule to iptables to block that IP.  You can define how many failed attempts, over what time period, and how long to block, etc.  After the ban period has expired, fail2ban removes the iptables rule.  You can block repeat offenders longer.  Lots of options.
>
> Michael
> N6MEF
>
>> -----Original Message-----
>> From: nos-bbs [mailto:nos-bbs-bounces at tapr.org] On Behalf Of Gustavo Ponza
>> Sent: Thursday, October 19, 2017 10:12 AM
>> To: nos-bbs at tapr.org
>> Subject: Re: [nos-bbs] Jnos memory leak with forwarding
>>
>>
>>
>> On 10/19/2017 04:02 PM, Brian wrote:
>>> Gus;
>>>
>>> On Thu, 2017-10-19 at 12:04 +0200, Gustavo Ponza wrote:
>>>
>>>> I don't know your or other situations
>>>> but from my experience many resources
>>>> are spent to reply to the many attacks
>>>> to our systems... the jnos is rebooting
>>>> more frequently at least  from the last
>>>> year... other programs seems to remain
>>>> hard rock without any collapse.
>>> Why is your jnos rebooting from attacks? That should never EVER happen.
>>> If so, this is a critical warning sign that your iptables rules needs
>>> fixing.
>> Hi Brian,
>>
>> you surely have full reasons about iptables rules, but how to
>> contrast the following situation? I'm not able to manage it.
>>
>> A list of the actual attackers follows:
>>
>> c.afekv.com.    0    IN    A    85.37.17.16
>> c.afekv.com.    0    IN    A    192.150.186.1
>> akamai.com.    0    IN    A    104.120.217.225
>> www.cybergreen.net.    0    IN    A    104.18.32.114
>> www.cybergreen.net.    0    IN    A    104.18.33.114
>> play.hypixel.net.    0    IN    HINFO    ANY    obsoleted
>> .    0    IN    SOA    a.root-servers.net. nstld.verisign-grs.com.
>> 2017101500    1800    900    604800 86400
>> vmware.com.    0    IN    NS    a1.verisigndns.com.
>> vmware.com.    0    IN    NS    ns3.p14.dynect.net.
>> vmware.com.    0    IN    NS    a3.verisigndns.com.
>> vmware.com.    0    IN    NS    ns1.p14.dynect.net.
>> vmware.com.    0    IN    NS    a2.verisigndns.com.
>> vmware.com.    0    IN    NS    ns2.p14.dynect.net.
>> vmware.com.    0    IN    NS    ns4.p14.dynect.net.
>> cqnet.dyndns.org.    0    IN    A    94.177.237.192
>> sema.cz.    0    IN    SOA    ns.gransy.com.    root.gransy.com.
>> 2017091903    86400    900    1209600    1800
>> com.    0    IN    SOA    a.gtld-servers.net. nstld.verisign-grs.com.
>> 1507805791    1800    900    604800 86400
>> energy.gov.    0    IN    NS    ns1.es.net.
>> energy.gov.    0    IN    NS    foxbat.doe.gov.
>> energy.gov.    0    IN    NS    fulcrum.doe.gov.
>> www.google.com.    0    IN    A    216.58.205.100
>> 1x1.cz.    0    IN    A    217.16.191.139
>> 1x1.cz.    0    IN    NS    ns2.gransy.com.
>> 1x1.cz.    0    IN    NS    ns.gransy.com.
>> 1x1.cz.    0    IN    NS    ns4.gransy.com.
>> 1x1.cz.    0    IN    NS    ns5.gransy.com.
>> 1x1.cz.    0    IN    NS    ns3.gransy.com.
>>
>> --
>> 73 and ciao, gus i0ojj/ir0aab
>> A proud member of linux team
>> Quidquid latine dictum sit, altum videtur
>>
>> _______________________________________________
>> nos-bbs mailing list
>> nos-bbs at tapr.org
>> http://www.tapr.org/mailman/listinfo/nos-bbs
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> http://www.tapr.org/mailman/listinfo/nos-bbs

-- 
73 and ciao, gus i0ojj/ir0aab
A proud member of linux team
Quidquid latine dictum sit, altum videtur

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20171019/5cbacd13/attachment.html>

More information about the nos-bbs mailing list