[H-GEN] Fixes for excalibur's backup

Robert Brockway robert at timetraveller.org
Mon Jul 13 18:40:51 EDT 2009 

On Mon, 13 Jul 2009, Russell Stuart wrote:

> don't know what is doing it is yet, but if I was forced to take a guess
> now it would be rkhunter.

rkhunter would be hitting some files.

updatedb is probably doing them all.

> In any case it is not rkhunter's problem.  The backup should cope with

Agreed.

> changing access times.  I have a plan of attack, and will send a fix
> through this week.

Do we want to remount the filesystem noatime?  It offers a small 
performance advantage.  A few apps dislike this however, but I don't think 
it should matter to us.

An alternative, relatime, won't help in this case.

> Although that is the major problem, it is not the only one.  Other
> issues are:
>
> 1.  Someone has installed a firewall that logs every ACCEPT packets.

The firewall is logging every connection rather than every packet.  Here 
are the relevant rules:

#
# Silently accept non-initiating packets (conntrack)
#
iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
iptables -A FIREWALL -p tcp --dport 22 -j ACCEPT-LOG

..etc etc..

# Drop everything else
iptables -A FIREWALL -j DROP-LOG

>    This causes the several log files to grow by 12M per day each.

We're getting one new connection every 2-3 seconds (as a rough estimate). 
This is hitting several logs, which is overkill.

We can adjust logging.

>    I would be interested to hear the justification for logging
>    ACCEPT packets.  If there isn't one, please turn it off.

This is standard for firewalls I setup so it got added by default when I 
loaded the ruleset.  It's useful for diagnostics, tracking attacks, etc. 
It isn't essential but my preference is to retain it if we can.

> 2.  The auth log is growing faster than I expected.  Turn out this
>    is because of dictionary attacks against ssh.  Is it possible
>    to move ssh to a non standard port?

I'd rather not.  There are better ways to deal with ssh attacks.

We can use fail2ban, which will raise a firewall in the face of an attack 
against ssh.  In fact we _should_ use this anyway.  I'll add it unless I 
hear howls of objection.

Do we need to backup everything /var/log?

There is duplication in the logging that we should fix.

Rob

-- 
I tried to change the world but they had a no-return policy
Projected IPv4 exhaustion: http://www.potaroo.net/tools/ipv4/index.html

More information about the General mailing list