Difference between revisions of "HIDS 60334"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 60334 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = grsec: bruteforce prevention initiated for the next 30 minutes or until serv...")
 
m
 
Line 10: Line 10:
  
 
'''This means an application may be trying to do something dangerous on your system and ASL is protecting you from this action.  Please read this article for additional important information about this event.'''  
 
'''This means an application may be trying to do something dangerous on your system and ASL is protecting you from this action.  Please read this article for additional important information about this event.'''  
 
This protection is not enabled by default.  If you are getting this alert, it means someone has enabled this protection on your system.=
 
  
 
Specifically, the ASL kernel protects your system by limiting attempts to bruteforce exploits against forking daemons such as apache or sshd, as well as against suid/sgid binaries will be deterred. When a child of a forking daemon is stopped by the ASL kernel because it has violated the kernel protection model or crashed due to an illegal instruction or other suspicious signal, the parent process will be delayed 30 seconds upon every subsequent fork until the administrator is able to assess the situation and restart the daemon. In the suid/sgid case, the attempt is logged, the user has all their processes terminated, and they are prevented from executing any further processes for 15 minutes. It is recommended that you also enable signal logging in the auditing section so that logs are generated when a process triggers a suspicious signal.
 
Specifically, the ASL kernel protects your system by limiting attempts to bruteforce exploits against forking daemons such as apache or sshd, as well as against suid/sgid binaries will be deterred. When a child of a forking daemon is stopped by the ASL kernel because it has violated the kernel protection model or crashed due to an illegal instruction or other suspicious signal, the parent process will be delayed 30 seconds upon every subsequent fork until the administrator is able to assess the situation and restart the daemon. In the suid/sgid case, the attempt is logged, the user has all their processes terminated, and they are prevented from executing any further processes for 15 minutes. It is recommended that you also enable signal logging in the auditing section so that logs are generated when a process triggers a suspicious signal.

Latest revision as of 18:00, 24 August 2015

Rule 60334
Status Active
Alert Message grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report

Contents

[edit] Description

This means an application may be trying to do something dangerous on your system and ASL is protecting you from this action. Please read this article for additional important information about this event.

Specifically, the ASL kernel protects your system by limiting attempts to bruteforce exploits against forking daemons such as apache or sshd, as well as against suid/sgid binaries will be deterred. When a child of a forking daemon is stopped by the ASL kernel because it has violated the kernel protection model or crashed due to an illegal instruction or other suspicious signal, the parent process will be delayed 30 seconds upon every subsequent fork until the administrator is able to assess the situation and restart the daemon. In the suid/sgid case, the attempt is logged, the user has all their processes terminated, and they are prevented from executing any further processes for 15 minutes. It is recommended that you also enable signal logging in the auditing section so that logs are generated when a process triggers a suspicious signal.

You should always investigate this event as it may be part of an actual attack on your system.

Note: Disabling this rule will not disable this protection, it will however tell ASL to not inform you of these events.

[edit] Log examples

Jan 1 12:00:00 linux kernel: grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /usr/local/apache/bin/httpd[httpd:30769] uid/euid:99/99 gid/egid:99/99, parent /usr/local/apache/bin/httpd[httpd:30419] uid/euid:0/0 gid/egid:0/0

[edit] Troubleshooting

[edit] Solutions

Investigate the cause of the crash of the application, and if the crash was benign restart the application.

[edit] False Positives

False positive are not possible with this event. If you do not want to enable this optional protection, simply disable this setting:

https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#GRKERNSEC_DETER_BRUTEFORCE

[edit] Additional Information

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

Personal tools