[H-GEN] Fixes for excalibur's backup
robert at timetraveller.org
Mon Jul 13 18:40:51 EDT 2009
On Mon, 13 Jul 2009, Russell Stuart wrote:
> don't know what is doing it is yet, but if I was forced to take a guess
> now it would be rkhunter.
rkhunter would be hitting some files.
updatedb is probably doing them all.
> In any case it is not rkhunter's problem. The backup should cope with
> changing access times. I have a plan of attack, and will send a fix
> through this week.
Do we want to remount the filesystem noatime? It offers a small
performance advantage. A few apps dislike this however, but I don't think
it should matter to us.
An alternative, relatime, won't help in this case.
> Although that is the major problem, it is not the only one. Other
> issues are:
> 1. Someone has installed a firewall that logs every ACCEPT packets.
The firewall is logging every connection rather than every packet. Here
are the relevant rules:
# Silently accept non-initiating packets (conntrack)
iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FIREWALL -p tcp --dport 22 -j ACCEPT-LOG
# Drop everything else
iptables -A FIREWALL -j DROP-LOG
> This causes the several log files to grow by 12M per day each.
We're getting one new connection every 2-3 seconds (as a rough estimate).
This is hitting several logs, which is overkill.
We can adjust logging.
> I would be interested to hear the justification for logging
> ACCEPT packets. If there isn't one, please turn it off.
This is standard for firewalls I setup so it got added by default when I
loaded the ruleset. It's useful for diagnostics, tracking attacks, etc.
It isn't essential but my preference is to retain it if we can.
> 2. The auth log is growing faster than I expected. Turn out this
> is because of dictionary attacks against ssh. Is it possible
> to move ssh to a non standard port?
I'd rather not. There are better ways to deal with ssh attacks.
We can use fail2ban, which will raise a firewall in the face of an attack
against ssh. In fact we _should_ use this anyway. I'll add it unless I
hear howls of objection.
Do we need to backup everything /var/log?
There is duplication in the logging that we should fix.
I tried to change the world but they had a no-return policy
Projected IPv4 exhaustion: http://www.potaroo.net/tools/ipv4/index.html
More information about the General