1 |
Regarding the panic also see: |
2 |
CONFIG_GRKERNSEC_BRUTE kernel config option. |
3 |
It tries to counteract brute-forcing probes. |
4 |
In case of process running as a user it kills, if it's running as root it |
5 |
makes the system panic. |
6 |
-- |
7 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
8 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
9 |
|
10 |
2013.Január 12.(Szo) 23:22 időpontban Michael Orlitzky ezt írta: |
11 |
> I recently updated all of our servers to 3.7.0-hardened (from |
12 |
> 3.4.2-hardened-r1) and re-did our iptables rules to avoid future pain[1] |
13 |
> from the state -> conntrack switch. |
14 |
> |
15 |
> The first thing I noticed was that vsftpd apparently crashed on my own |
16 |
> box, michael.orlitzky.com. The server stayed up, though, until I did |
17 |
> something stupid and tried to kill the crashed process. Then it |
18 |
> panicked. I drove to work, rebooted, and disabled vsftpd. Naturally that |
19 |
> hasn't happened again. |
20 |
> |
21 |
> Last night, our VPN firewall went down; panicked, around 11:30pm. Drove |
22 |
> to work today and rebooted it, but I'm not sure what the underlying |
23 |
> cause was -- I didn't get a shot of the panic message. The only thing it |
24 |
> does is OpenVPN on two e1000s. |
25 |
> |
26 |
> I've been looking through the dmesg of our other servers, just to see if |
27 |
> anything looks out of the ordinary. There's one other machine still |
28 |
> running vsftpd that has a non-fatal (i.e. stuff is still running) crash. |
29 |
> There are more errors above this if needed, although I'm going to have |
30 |
> to reboot it now. |
31 |
> |
32 |
> On the VPN box, I'll probably bump to 3.7.1-r2 and just pray unless |
33 |
> someone has a better suggestion. |
34 |
> |
35 |
> |
36 |
> grsec: From 61.160.222.83: Invalid alignment/Bus error occurred at |
37 |
> 000000608f728691 in |
38 |
> /var/log/apache2/abogadosdeaccidentedeautoenmarylandblog.com/www/error/error-2013-01-06.log[vsftpd:7764] |
39 |
> uid/euid:0/0 gid/egid:0/0, parent |
40 |
> /var/log/apache2/abogadosdeaccidentedeautoenmarylandblog.com/www/error/error-2013-01-06.log[vsftpd:2583] |
41 |
> uid/euid:0/0 gid/egid:0/0 |
42 |
> grsec: From 61.160.222.83: bruteforce prevention initiated for the next |
43 |
> 30 minutes or until service restarted, stalling each fork 30 seconds. |
44 |
> Please investigate the crash report for |
45 |
> /var/log/apache2/abogadosdeaccidentedeautoenmarylandblog.com/www/error/error-2013-01-06.log[vsftpd:7764] |
46 |
> uid/euid:0/0 gid/egid:0/0, parent |
47 |
> /var/log/apache2/abogadosdeaccidentedeautoenmarylandblog.com/www/error/error-2013-01-06.log[vsftpd:2583] |
48 |
> uid/euid:0/0 gid/egid:0/0 |
49 |
> grsec: From 61.160.222.83: denied resource overstep by requesting 4096 |
50 |
> for RLIMIT_CORE against limit 0 for |
51 |
> /var/log/apache2/abogadosdeaccidentedeautoenmarylandblog.com/www/error/error-2013-01-06.log[vsftpd:7764] |
52 |
> uid/euid:0/0 gid/egid:0/0, parent |
53 |
> /var/log/apache2/abogadosdeaccidentedeautoenmarylandblog.com/www/error/error-2013-01-06.log[vsftpd:2583] |
54 |
> uid/euid:0/0 gid/egid:0/0 |
55 |
> PAX: please report this to pageexec@××××××××.hu |
56 |
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 |
57 |
> IP: [<ffffffff81029972>] dup_mm+0x261/0x4c0 |
58 |
> PGD 18c661000 |
59 |
> Thread overran stack, or stack corrupted |
60 |
> Oops: 0000 [#1] SMP |
61 |
> Modules linked in: xt_tcpudp xt_multiport nf_conntrack_ipv4 |
62 |
> nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter ip_tables |
63 |
> x_tables cpufreq_ondemand uhci_hcd ehci_hcd thermal usbcore acpi_cpufreq |
64 |
> tg3 microcode freq_table mperf usb_common processor libphy thermal_sys |
65 |
> hwmon unix |
66 |
> CPU 0 |
67 |
> Pid: 2583, comm: vsftpd Not tainted 3.7.0-hardened #1 HP ProLiant DL380 G4 |
68 |
> RIP: 0010:[<ffffffff81029972>] [<ffffffff81029972>] dup_mm+0x261/0x4c0 |
69 |
> RSP: 0018:ffff880187a4ddc0 EFLAGS: 00010286 |
70 |
> RAX: 0000000000000000 RBX: ffff880193c4c508 RCX: 0000000000000000 |
71 |
> RDX: ffff88018c4df500 RSI: ffff880193c4c508 RDI: ffff880154c32cf0 |
72 |
> RBP: ffff8801748fa3c0 R08: ffff88019bc112b0 R09: ffffffff810298cd |
73 |
> R10: 8000000000000000 R11: ffff88018c4c9e00 R12: ffff88018bfc30c0 |
74 |
> R13: ffff880154c32cf0 R14: ffff8801748fa420 R15: ffff88018bfc3120 |
75 |
> FS: 000002ef1e350700(0000) GS:ffff88019bc00000(0000) |
76 |
> knlGS:0000000000000000 |
77 |
> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b |
78 |
> CR2: 0000000000000030 CR3: 0000000001329000 CR4: 00000000000007b0 |
79 |
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 |
80 |
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 |
81 |
> Process vsftpd (pid: 2583, threadinfo ffff8801907e3ca8, task |
82 |
> ffff8801907e38d0) |
83 |
> Stack: |
84 |
> 0000000000000000 0000000000000000 0000000000000000 ffff8801748fa3c0 |
85 |
> 0000000000000000 ffff8801748fa3c8 ffff880194c52540 0000000001200011 |
86 |
> ffff880174920000 0000000000000000 000002ef1e3509d0 0000000000000000 |
87 |
> Call Trace: |
88 |
> [<ffffffff8102a42e>] ? copy_process+0x829/0x119e |
89 |
> [<ffffffff8102ae24>] ? do_fork+0x5c/0x2c2 |
90 |
> [<ffffffff8131f873>] ? stub_clone+0x13/0x20 |
91 |
> [<ffffffff8131f608>] ? system_call_fastpath+0x18/0x1d |
92 |
> Code: 00 00 00 00 49 c7 45 18 00 00 00 00 49 c7 85 b0 00 00 00 00 00 00 |
93 |
> 00 49 8b 95 98 00 00 00 48 85 d2 0f 84 85 00 00 00 48 8b 42 18 <48> 8b |
94 |
> 48 30 48 8b 82 c8 00 00 00 f0 48 ff 42 30 71 07 f0 48 ff |
95 |
> RIP [<ffffffff81029972>] dup_mm+0x261/0x4c0 |
96 |
> RSP <ffff880187a4ddc0> |
97 |
> CR2: 0000000000000030 |
98 |
> ---[ end trace 969655b532a2156e ]--- |
99 |
> |
100 |
> |
101 |
> |
102 |
> |
103 |
> [1] https://bugs.gentoo.org/show_bug.cgi?id=448906 |
104 |
> |