[Info-vax] Anti-virus ?

[Hunter Goatley]

On 8/14/2023 8:39 AM, Simon Clubley wrote:
> 
> Every so often, Eisner's network services (including SSH) simply stop
> working. Sometimes, basic stuff such as ICMP continues to work, but
> anything involving process creation is utterly stuffed.

Lately, it's been a problem of EISNER seeing an unprecedented (per 
EISNER's history) level of dictionary attacks via SSH and SMTP. I've had 
to increase quotas for MultiNet's Intrusion Prevention Service process 
to try to keep up with the events. Each time, I've thought, "Well, that 
should be enough," and then the number of attacks grows, and it's not.

Something in all of that is eating up paged memory, and when the system 
runs out of that, pretty much everything stops, and the system has to be 
rebooted.

I thought EISNER was getting hit hard before the recent relocation, but 
the number of SSH and SMTP connections trying bogus usernames or trying 
to guess passwords has shot up dramatically since the relocation. 
Apparently, EISNER's new IP address makes it a bigger target than the 
previous address for some reason.

Over the past three days, over 21,000 IP address filters were 
automatically created in response to the attempts. That's not the total 
number of connections, just the connections that triggered IPS to create 
a filter. While I was checking that number, I saw five more get created 
in the 20 seconds I was looking.

If I could block certain countries, a lot of the problem would be 
alleviated. But that doesn't really work for a system like EISNER, which 
aims to be open to everyone.

So we learn, adjust, reboot, and repeat.

Oh, and since EISNER is no one's full-time job, that process is taking 
longer than it might otherwise. I sometimes see that EISNER is not 
answering before anyone else---but not always.

-- 
Hunter
------
Hunter Goatley, Process Software, http://www.process.com/
goathunter at goatley.com   http://hunter.goatley.com/