Our sites suddenly went down today, and our Lish console is being flooded with firewall rules like these:

====
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:42:e4:37:bc:c8:4c:75:f5:c4:ff:08:00 SRC=71.34.61.229 DST=66.228.55.188 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=46032 DF PROTO=TCP SPT=2915 DPT=2222 WINDOW=16384 RES=0x00 SYN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:42:e4:37:bc:c8:4c:75:f5:c4:ff:08:00 SRC=110.82.208.111 DST=66.228.55.188 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=63687 DF PROTO=TCP SPT=3873 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:42:e4:37:bc:c8:4c:75:f5:c4:ff:08:00 SRC=110.82.208.111 DST=66.228.55.188 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=64210 DF PROTO=TCP SPT=3873 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:42:e4:37:bc:c8:4c:75:f5:c4:ff:08:00 SRC=110.82.208.111 DST=66.228.55.188 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=65225 DF PROTO=TCP SPT=3873 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
====

Can anybody help me decipher what is going on here? Are we under attack, or is this something else? Whatever is going on prevents all web traffic, though I'm still able to SSH into the machine.

I know my way around the server fairly well, but I'm no expert especially with firewall config. I set it up on day one, and have not touched it since.

Any advice would be very appreciated, thanks.

It looks like 110.82.208.111 is trying to send you e-mail, and 71.34.61.229 (a DSL connection near Minneapolis) is trying to connect to port 2222. Neither are succeeding.

Define "being flooded"... how many per second? What does "ufw status" say? (Does it say that HTTP is allowed?)

It doesn't look like an attack, and I can connect to port 80 on 66.228.55.188 just fine from here...

_________________

/* TODO: need to add signature to posts */

I'm starting to think this is definitely some kind of brute force attack.

You can get to the server now, because I rebooted.

But the flood continues, and there are several new attempts once per second.

I am watching them come in live; one IP will make repeated attempts.

Then I block it in my iptables, they pause, and start back up with another ip. I block it, rinse and repeat.

I'm assuming I'm fighting an army of netbots of some sort, all of the IPs are completely different.

Short of sitting here fighting them off one-by-one, what I can do here?

Thanks!

Definitely under attack, here what I'm seeing in auth.log:

==========================
pr 17 20:36:27 electricjet sshd[7816]: Failed password for root from 82.147.114.22 port 60619 ssh2
Apr 17 20:36:29 electricjet sshd[7818]: reverse mapping checking getaddrinfo for 22.114.147.82.nexcom.ru [82.147.114.22] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 17 20:36:29 electricjet sshd[7818]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.147.114.22 user=root
Apr 17 20:36:31 electricjet sshd[7818]: Failed password for root from 82.147.114.22 port 60774 ssh2
Apr 17 20:36:33 electricjet sshd[7820]: reverse mapping checking getaddrinfo for 22.114.147.82.nexcom.ru [82.147.114.22] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 17 20:36:33 electricjet sshd[7820]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.147.114.22 user=root
Apr 17 20:36:35 electricjet sshd[7820]: Failed password for root from 82.147.114.22 port 60931 ssh2
Apr 17 20:36:37 electricjet sshd[7822]: reverse mapping checking getaddrinfo for 22.114.147.82.nexcom.ru [82.147.114.22] failed - POSSIBLE BREAK-IN ATTEMPT!
===========================


I just banned the IP that shows up in the reverse mapping:

82.147.114.22

I'm kind of figuring all of this out on the fly here so if anybody has any good advice on how to stop this I'm all ears.

Edit:

Okay that worked for awhile, but they have started up again.

Can't help you stop the attack, but just wondered if you knew of denyhosts (http://denyhosts.sourceforge.net/) - it will "ban" the offending IP addresses for you, not just for this attack, but all future ones.

I also do something similar for Apache to block http requests from offending sites (a script which looks for phrases like phpmyadmin, proxyheader.php, etc in /var/log/apache2/error.log and adds a new DenyFrom entry to /var/www/.htaccess). Takes care of assaults on ssh and http(s) ports.

Yes, thank you, I discovered DenyHost during my searching on how to stop and/or prevent this in the future. I'm used to seeing random and one-off brute force attacks but this is the first time I've had to fend off a sustained attack big enough to actually flood my server . . . nothing like learning under fire.