[BlueOnyx:25693] Re: Blueonyx Digest, Vol 167, Issue 5

Ed Qualls eduard.qualls at gmail.com
Fri Nov 11 16:24:05 -05 2022 

Michael Stauber: the "reload" command wasn't issued because of a pending
reboot, but somehow that was overlooked.
Issuing the "reload" command yesterday took care of all the ones in the
first batch of fifty—except one (61.177.172.19), which I've verified as
being in (yesterday's) rejection rules, but snuck in overnight, with 180
login attempts, anyway.

Interestingly, after I set the failed login limit to 5 per hour yesterday,
there were 1061 attempts listed in the BlueOnyx "Failed Login History" as
having occurred within 6 minutes this morning, all coming just from
34.133.32.234.
(I filed a report with Google about the abuse, using their online form:
that address is a Google Cloud server.)

There were 36 failed attempts from 61.177.173.55 (of 228 total reported)
during a single minute, too, and lots of other such single-minute attacks
from other IPs.

Does this mean the "failed logins per minute" limit isn't working? The
server doesn't need to be rebooted after changing that failed-login limit,
does it?
Or has the firewall been breached?


On Fri, Nov 11, 2022 at 6:15 AM <blueonyx-request at mail.blueonyx.it> wrote:

> Send Blueonyx mailing list submissions to
>         blueonyx at mail.blueonyx.it
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mail.blueonyx.it/mailman/listinfo/blueonyx
> or, via email, send a message with subject or body 'help' to
>         blueonyx-request at mail.blueonyx.it
>
> You can reach the person managing the list at
>         blueonyx-owner at mail.blueonyx.it
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Blueonyx digest..."
> Today's Topics:
>
>    1. [BlueOnyx:25681] login attempts after IP added to firewall
>       reject    list (Ed Qualls)
>    2. [BlueOnyx:25682] Re: login attempts after IP added to
>       firewall  reject list (Larry Smith)
>    3. [BlueOnyx:25683] Re: login attempts after IP added to
>       firewall reject list (Michael Stauber)
>    4. [BlueOnyx:25684] System fails to start after kernel update
>       last      night. (Ceelie, Arie (VodafoneZiggo))
>    5. [BlueOnyx:25685] Re: System fails to start after kernel
>       update    last    night. (Ceelie, Arie (VodafoneZiggo))
>
>
>
> ---------- Forwarded message ----------
> From: Ed Qualls <eduard.qualls at gmail.com>
> To: blueonyx at mail.blueonyx.it
> Cc:
> Bcc:
> Date: Thu, 10 Nov 2022 18:13:36 -0600
> Subject: [BlueOnyx:25681] login attempts after IP added to firewall reject
> list
> As root, I added IP addresses that the firewall should reject immediately.
> Getting status showed that they had been added to the reject list.
> However, they are still showing up in BlueOnyx with attempts to login as
> root.
>
> For example, I used
>
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
> address='61.177.172.191' reject"
> on one IP address, but just today, someone/something on that IP tried to
> login almost 800 times.
>
> (That IP is registered in Lianyungang city, Jiangsu province, Communist
> China.)
>
>
> Was that not the correct command to use to force rejection of that IP
> address in AlmaLinux/BlueOnyx?
>
> --
> Eduard Qualls
> *www.eduardqualls.com <http://www.eduardqualls.com>*
>
>
>
>
> ---------- Forwarded message ----------
> From: Larry Smith <lesmith at ecsis.net>
> To: blueonyx at mail.blueonyx.it
> Cc: Ed Qualls <eduard.qualls at gmail.com>
> Bcc:
> Date: Thu, 10 Nov 2022 19:25:06 -0500
> Subject: [BlueOnyx:25682] Re: login attempts after IP added to firewall
> reject list
> Ed,
>
>   In my small amount of playing with the firewalld
> rules I believe that the server uses the zone public
> for its primary ruleset.  I have added both allow and
> deny rules to the zone by editing the
> /etc/firewalld/zones/public.xml file and then restarting
> firewalld (systemctl restart firewalld) with great success.
> My server has nothing under ipsets, policies, services,
> icmptypes or helpers.
>
> --
> Larry Smith
> lesmith at ecsis.net
>
> On Thu November 10 2022 18:13, Ed Qualls wrote:
> > As root, I added IP addresses that the firewall should reject
> immediately.
> > Getting status showed that they had been added to the reject list.
> > However, they are still showing up in BlueOnyx with attempts to login as
> > root.
> >
> > For example, I used
> >
> > firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
> > address='61.177.172.191' reject"
> > on one IP address, but just today, someone/something on that IP tried to
> > login almost 800 times.
> >
> > (That IP is registered in Lianyungang city, Jiangsu province, Communist
> > China.)
> >
> >
> > Was that not the correct command to use to force rejection of that IP
> > address in AlmaLinux/BlueOnyx?
>
>
>
>
> ---------- Forwarded message ----------
> From: Michael Stauber <mstauber at blueonyx.it>
> To: blueonyx at mail.blueonyx.it
> Cc:
> Bcc:
> Date: Thu, 10 Nov 2022 19:36:14 -0500
> Subject: [BlueOnyx:25683] Re: login attempts after IP added to firewall
> reject list
> Hi Ed,
>
> > For example, I used
> >
> > firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
> > address='61.177.172.191' reject"
> > on one IP address, but just today, someone/something on that IP tried to
> > login almost 800 times.
> >
> > (That IP is registered in Lianyungang city, Jiangsu province, Communist
> > China.)
> >
> > Was that not the correct command to use to force rejection of that IP
> > address in AlmaLinux/BlueOnyx?
>
> Did you issue ...
>
> firewall-cmd --reload
>
> ... after adding the rich-rule?
>
> Here is a good tutorial that covers all the basics of Firewalld:
>
>
> https://www.computernetworkingnotes.com/linux-tutorials/firewalld-rich-rules-explained-with-examples.html
>
> --
> With best regards
>
> Michael Stauber
>
>
>
>
> ---------- Forwarded message ----------
> From: "Ceelie, Arie (VodafoneZiggo)" <arie.ceelie at vodafoneziggo.com>
> To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Cc:
> Bcc:
> Date: Fri, 11 Nov 2022 11:39:08 +0000
> Subject: [BlueOnyx:25684] System fails to start after kernel update last
> night.
> Hi all,
>
> this morning the kernel of my almalinux system was updated to
> vmlinuz-4.18.0-425.3.1. And then it rebooted in rescue mode. I tried both
> old kernels and still it reboots into rescue mode.
> When I use grubby to see the kernel index I also get a grub-editenv:
> error: cannot rename the file /boot/grub2/grubenv.new to /boot/grub/grubenv
> (no such file or directory)
>
>    1. IS this error related to the boot failure?
>    2. What can I do to get the system up and running again?
>
> Until the kernel update it was working fine, even when rebooting.
>
> Cheers,
>
> Arie
>
>
> C2 VodafoneZiggo Internal
>
>
>
> ---------- Forwarded message ----------
> From: "Ceelie, Arie (VodafoneZiggo)" <arie.ceelie at vodafoneziggo.com>
> To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Cc:
> Bcc:
> Date: Fri, 11 Nov 2022 12:13:47 +0000
> Subject: [BlueOnyx:25685] Re: System fails to start after kernel update
> last     night.
> Few errors from journalctl -xb:
> interface rename errors for eth3 and eth1
> /sbin/mdadm -I /dev/sdc failed with exit code 1 (sdc and sdd are backup
> disks, not OS disks)
> dev-sde2.device: job /start timed out (missing USB-disk)
>
> no other errors......
>
> I'm lost here.
>
>
> ------------------------------
> *From:* Blueonyx <blueonyx-bounces at mail.blueonyx.it> on behalf of Ceelie,
> Arie (VodafoneZiggo) <arie.ceelie at vodafoneziggo.com>
> *Sent:* Friday, 11 November 2022 12:39
> *To:* BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> *Subject:* [BlueOnyx:25684] System fails to start after kernel update
> last night.
>
> Hi all,
>
> this morning the kernel of my almalinux system was updated to
> vmlinuz-4.18.0-425.3.1. And then it rebooted in rescue mode. I tried both
> old kernels and still it reboots into rescue mode.
> When I use grubby to see the kernel index I also get a grub-editenv:
> error: cannot rename the file /boot/grub2/grubenv.new to /boot/grub/grubenv
> (no such file or directory)
>
>    1. IS this error related to the boot failure?
>    2. What can I do to get the system up and running again?
>
> Until the kernel update it was working fine, even when rebooting.
>
> Cheers,
>
> Arie
>
>
> C2 VodafoneZiggo Internal
>
> C2 VodafoneZiggo Internal
>
> C2 VodafoneZiggo Internal
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>


-- 
Eduard Qualls
*www.eduardqualls.com <http://www.eduardqualls.com>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20221111/cd6fea12/attachment.html>

More information about the Blueonyx mailing list