[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Lame Server messages

Troy Arnold wrote:
<snip>

> Now, after blocking these certain IP address yesterday I have 
> been inundated with the following types of errors...
> Aug 29 11:48:40 www named[1738]: Lame server on 
> '61.84.51.194.in-addr.arpa' (in '84.51.194.in-addr.arpa'?):
> [194.235.102.18].53 'galileo.global-one.es'

<snip>
> After a bunch of these types of messages (what is a bunch... 
> 10-12 entries such as these).  I get the following type of log
> report. This is just an example as I am not sure how much this
> gives away (perhaps someone could enlighten me on this too).
> Aug 29 13:43:49 www named[XXXX]: Cleaned cache of 124 RRsets
> Aug 29 13:43:49 www named[XXXX]: USAGE 999999999 999999999 
> CPU=17.58u/26.94s CHILDCPU=0u/0s
<snip> 

> These are repeated and repeated within similar log areas.
<snip>

> 1) Have I created problems for legitimate users of our sites 
> in Europe by blocking these ips?

Maybe, maybe not. It entirely depends upon what the actual IPs you blocked
really are: if they're just end-users of an ISP, it might mean that
occasionally people will not be able to view your sites. If they're (say)
ISP mailservers, you won't be able to receive any mail from them. If they're
DNS servers, you won't be able to do any queries which end up being served
by them [note that this depends entirely on *how* you did the block].

> 2) Am I creating these lame server issues by blocking the wrong ips?

No. It may be that by blocking the IP addresses you are now unable to
receive mail from those machines - you emailed the providers, right? So
something may be trying to come back from them, sendmail is doing a name
lookup locally, your name server software is going to query the remote
nameserver to see who it is and finding that it holds a lame delegation -
hence the 'lame server' warning.
Basically any time your server needs to do a query on a remote server, and
finds a lame delegation, it will plonk a 'lame server' message in the logs.
Get used to it - your nameserver is telling you just how many badly
configured servers there are out there...

> 3) Is this some type of CNAME exploit?

No. Assuming you're talking about the repeated (every sixty minutes) named
stats dumps, right? That's a default setting in ISC BIND (which 'named' is
the operational part of) which dumps [ahem] 'useful' stats into your syslog.
That's all it is. It can be turned off, but I'll leave that as an exercise
for the reader ;-)

> 4) Can someone enlighten this idiot as to where to locate some good
> definitions of what these LogCheck reports really mean?

'DNS and BIND', Paul Albitz & Cricket Liu, pub. O'Reilly & Associates, ISBN
1-56592-512-2.
http://www.isc.org/products/BIND/
Alternatively of course you could just set LogCheck to ignore them.

> 5) And finally (just like T. Dwyer with Indian Hill Media) are there
> security implications here I am unaware of?

Well... if you're gonna setup LogCheck to ignore things, make sure you're
very very specific with the expressions you set it to ignore. Otherwise you
could well end up missing something important.

Folks: this lame server thing pops up time and time again.

Do we need a list FAQ, or do we need something adding into Cobalt's KB about
common log messages?

I think I may prod Cobalt about it.

Graeme

-- 
Graeme Fowler
System Administrator
Host Europe Group PLC