Re: [cobalt-security] SYN attacks killing me! Please HELP!

["Ing. Ernesto Pérez Estévez" <ernesto@xxxxxxxxxxx>]

> Does not seem to be the kernel.  I mean not the Cobalt kernel.  From
> what I  have read, the fix to the kernel from Apache.org stopped the
> people from  taking control of your server.  It does not stop what you
> are getting.  The  Cobalt kernel has incorporated the changes to the
> current kernel.  If you  did the update you have the latest fix by
> Apache.org.
> Read this
> http://www.extremetech.com/article2/0,3973,302776,00.asp
> It appears the fix to apache just keeps the person from getting root
> access, not from doing the DOS.

Sorry I missed this part in my first email:

Yes I´m colocated and the colo company asked me to handle them the IP
address of the attacker in order to block them. Man.. I can do that with
ipchains.. in fact I´ve done that just that after a few hours or days the
attacker moves to a different IP and problem is restarted. I ´ll ask them
to consider passing only valid syns suggested in this list.

Well.. apache itself is not the problem.. I don´t think it´s. For these
reasons:
1- I´ve been logged in the server when attacks comes, attacks are mostly
on port 21 and sometimes on port 80 (anyway I´ll take care of port 81 as
suggested here too, thanks)
2- After the system reboots, I check /var/log/kernel.log and I get lots
of: Possible syn flooding on port 21, sending cookies, after 10 or more
lines like this, no more messages.

That´s why   I think it´s the old kernel... BTW, the colo told us they
have had a very busy week rebooting cobalts all around the facility,
because of the same reason.

Well.. actually I don´t think what else to do to stay macho man and not to
ask for a reboot every X time.

Waiting for more suggestions

Ernesto