SYN attacks from nagios
Terry
td3201 at gmail.com
Thu Sep 14 20:30:29 CEST 2006
The device that is detecting the "attack" is a content switch, which
sits in front of all the hosts. There isn't a particular command that
is triggering the alert.
Here are two that I have seen for sure:
define service {
name check_nt_cpu
check_command check_nt_cpu!1111!foo!10,90,95,60,80,95,1440,80,95
max_check_attempts 3
normal_check_interval 3
retry_check_interval 3
active_checks_enabled 1
passive_checks_enabled 1
check_period 24x7
parallelize_check 1
obsess_over_service 0
check_freshness 0
event_handler_enabled 1
flap_detection_enabled 1
process_perf_data 1
retain_status_information 1
retain_nonstatus_information 1
notification_interval 5
notification_period 24x7
notifications_enabled 1
register 0
notification_options w,u,c,r
}
define service {
name pmo-service-24x7
max_check_attempts 3
normal_check_interval 3
retry_check_interval 3
active_checks_enabled 1
passive_checks_enabled 1
check_period 24x7
parallelize_check 1
obsess_over_service 0
check_freshness 0
event_handler_enabled 1
flap_detection_enabled 1
process_perf_data 1
retain_status_information 1
retain_nonstatus_information 1
notification_interval 5
notification_period 24x7
notifications_enabled 1
register 0
notification_options w,u,c,r
}
These are just templates but contain all the info that is important to
this discussion. These are the same as the 1.2 host as well.
On 9/14/06, Donnell Lewis <donnell.lewis at icoretechnology.com> wrote:
> Did the 'ping' command check itself change from the 2 different
> versions ? Check in checkcommands.cfg, see if the command definition is
> the same between the two.
>
> -DL
>
> On Thu, 2006-09-14 at 17:07 +0100, rob.moss at uk.bnpparibas.com wrote:
> > nagios-users-bounces at lists.sourceforge.net wrote on 14/09/2006 17:00:29:
> >
> > > Good morning,
> > >
> > > I have 2 nagios servers. One is running 1.2 and the other is running
> > > 2.5. Both are running in parallel while I migrate to the 2.5 machine.
> > > Our content switch is detecting that the 2.5 machine is SYN attacking
> > > hosts. Both servers have very similar monitoring sets and similar
> > > configurations. I have gone through the config and nothing stands
> > > out. Obviously, the 2.5 machine is pounding the servers more heavily
> > > but I can't figure out why. Below is my config.
> > >
> >
> > Good evening!
> >
> > <config snipped>
> >
> > What checks are you running against the server that is detecting the SYN
> > attacks?
> >
> > The config you posted is the general nagios config, we would need to see
> > the services.cfg portions for the affected host(s)
> >
> > Cheers
> >
> >
> > This message and any attachments (the "message") is
> > intended solely for the addressees and is confidential.
> > If you receive this message in error, please delete it and
> > immediately notify the sender. Any use not in accord with
> > its purpose, any dissemination or disclosure, either whole
> > or partial, is prohibited except formal approval. The internet
> > can not guarantee the integrity of this message.
> > BNP PARIBAS (and its subsidiaries) shall (will) not
> > therefore be liable for the message if modified.
> >
> > **********************************************************************************************
> >
> > BNP Paribas Private Bank London Branch is authorised
> > by CECEI & AMF and is regulated by the Financial Services
> > Authority for the conduct of its investment business in
> > the United Kingdom.
> >
> > BNP Paribas Securities Services London Branch is authorised
> > by CECEI & AMF and is regulated by the Financial Services
> > Authority for the conduct of its investment business in
> > the United Kingdom.
> >
> > BNP Paribas Fund Services UK Limited is authorised and
> > regulated by the Financial Services Authority
> >
> >
> > -------------------------------------------------------------------------
> > Using Tomcat but need to do more? Need to support web services, security?
> > Get stuff done quickly with pre-integrated technology to make your job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Nagios-users mailing list
> > Nagios-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-users
> > ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> > ::: Messages without supporting info will risk being sent to /dev/null
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list