[ale] Known vulnerabilities in whois? (called by fail2ban)

wolf at wolfhalton.info wolf at wolfhalton.info
Thu Mar 25 23:17:50 EDT 2010 

Take one CentOS and call me in the morning.
Fedora is __Supposed_to_be__ a bleeding-edge experimental distro.  
I gave it up for CentOS, even though CentOS has upgrades farther apart \
\ I mean _Because_ CentOS has upgrades farther apart.
I know people running OpenSolaris because it has historically had long
end-of-life, like 10 years.  

In the other hand, I generally test alpha flights of Ubuntu (in VMs,
these days) for entertainment.

Dr Wolf



-----Original Message-----
From: Jim Kinney <jim.kinney at gmail.com>
Reply-to: Atlanta Linux Enthusiasts - Yes! We run Linux! <ale at ale.org>
To: Atlanta Linux Enthusiasts - Yes! We run Linux! <ale at ale.org>
Subject: Re: [ale] Known vulnerabilities in whois? (called by fail2ban)
Date: Thu, 25 Mar 2010 16:19:50 -0400



On Thu, Mar 25, 2010 at 3:43 PM, Neal Rhodes <neal at mnopltd.com> wrote:
        Something odd today. 
        
        Fedora Core 10 system dog slow.    Yes, I should upgrade.   Is
        there a drug you can legally take to help you forget the prior
        pain of Fedora upgrades? 
        

Alcohol (to steel the nerves) followed by system reinstall followed by
lots more alcohol (to fight back the tears) and few Zanax (um, why not
at this point?) for good measure. 

        
        Top shows that whois is taking 80% of cpu.   
        
        whois being called by fail2ban, which is about to cut off access
        to some wanker trying random passwords.   It does a whois first
        to get some descriptive detail for the logs.  
        
        It was trying to do: 
        
                17753 ?        R    508:58      |
                \_ /usr/bin/whois 203.171.30.41
        
        
        You can see it ate a pile of cpu.   I killed it off and all
        seems to be ok.     Inquiring minds are curious if those doing
        external ssh attempts are getting wise to the notion that
        fail2ban will spot them and then close them down, and are now
        attempting to either:
        
                A. find/use a vulnerability in whois, or 
                B. just make the whole fail2ban process hang for a while
                longer so they get more chances to guess. 
        
        
        
Set up a cron that looks for long-running whois and kill it until you
can cycle through the above process :-)
 
        
        
        
        
        _______________________________________________
        Ale mailing list
        Ale at ale.org
        http://mail.ale.org/mailman/listinfo/ale
        See JOBS, ANNOUNCE and SCHOOLS lists at
        http://mail.ale.org/mailman/listinfo
        



-- 
-- 
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness         


_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100325/a7d8c981/attachment.html

More information about the Ale mailing list