HIDS 60334
Rule 60334 | |
---|---|
Status | Active |
Alert Message | grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report |
Contents |
Description
This means an application may be trying to do something dangerous on your system and ASL is protecting you from this action. Please read this article for additional important information about this event.
Specifically, the ASL kernel protects your system by limiting attempts to bruteforce exploits against forking daemons such as apache or sshd, as well as against suid/sgid binaries will be deterred. When a child of a forking daemon is stopped by the ASL kernel because it has violated the kernel protection model or crashed due to an illegal instruction or other suspicious signal, the parent process will be delayed 30 seconds upon every subsequent fork until the administrator is able to assess the situation and restart the daemon. In the suid/sgid case, the attempt is logged, the user has all their processes terminated, and they are prevented from executing any further processes for 15 minutes. It is recommended that you also enable signal logging in the auditing section so that logs are generated when a process triggers a suspicious signal.
You should always investigate this event as it may be part of an actual attack on your system.
Note: Disabling this rule will not disable this protection, it will however tell ASL to not inform you of these events.
Log examples
Jan 1 12:00:00 linux kernel: grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /usr/local/apache/bin/httpd[httpd:30769] uid/euid:99/99 gid/egid:99/99, parent /usr/local/apache/bin/httpd[httpd:30419] uid/euid:0/0 gid/egid:0/0
Troubleshooting
Solutions
Investigate the cause of the crash of the application, and if the crash was benign restart the application.
False Positives
False positive are not possible with this event. If you do not want to enable this optional protection, simply disable this setting:
https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#GRKERNSEC_DETER_BRUTEFORCE
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.