(URGENT) Broadcast Issue with Server CentOS6.9

imtiazb · 09-13-2018, 12:41 AM

Hi, All

Here is a very painful query that we installed CentOS6.9 from scratch on Customer end for Application of VOIP gateway provided by Sangoma with LAN IP of provate pool 192.168.1.151/24. But after installation, it was discovered that whole LAN having Application Server and other PC becomes choked. When we isolated CentOS machine, network is just fine so we fond a culprit but dont know how to fix it. Trying all basic diagnostics, but failed to resolve the issue. Please help out.

Keruskerfuerst · 09-13-2018, 03:06 AM

Can you try the more recent version of Centos (version 7.5.1804) ?
Or another distro, that is suited for server purposes ?

imtiazb · 09-13-2018, 03:34 AM

Quote:

Originally Posted by Keruskerfuerst

Can you try the more recent version of Centos (version 7.5.1804) ?
Or another distro, that is suited for server purposes ?

This is requirement by our Sangoma VoIP gateway to have CentOS distro6.9.

Keruskerfuerst · 09-13-2018, 05:42 AM

Can you check the log files (/var/log/... and dmesg) ?

wpeckham · 09-13-2018, 05:47 AM

When I have seen this issue in the past (LONG past, it was in the 1990s) it was a hardware failure in a NIC that broadcast noise on the wire overloading the network at the lowest level. Try a different NIC, just as a test.

imtiazb · 09-13-2018, 11:55 PM

Try /var/log, dmesg and change NIC. It will take time as machine is in the remote site and access is only intermittent.

imtiazb · 09-14-2018, 01:35 AM

Here is output of /var/log/secure

It shows some foreign IP trying to attempt the machine and it seems some ports are opened for easy access? [Please sugest how to secure it]

2]: Invalid user admin from 77.72.82.39
Sep 11 08:37:02 cmsivr sshd[17553]: input_userauth_request: invalid user admin
Sep 11 08:37:02 cmsivr sshd[17552]: pam_unix(sshd:auth): check pass; user unknown
Sep 11 08:37:02 cmsivr sshd[17552]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=77.72.82.39
Sep 11 08:37:02 cmsivr sshd[17552]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Sep 11 08:37:04 cmsivr sshd[17552]: Failed password for invalid user admin from 77.72.82.39 port 44776 ssh2
Sep 11 08:37:07 cmsivr sshd[17553]: Connection closed by 77.72.82.39
Sep 11 12:19:11 cmsivr sshd[19456]: Did not receive identification string from 83.209.188.154
Sep 11 12:21:14 cmsivr sshd[20433]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.219.179.5 user=root
Sep 11 12:21:16 cmsivr sshd[20433]: Failed password for root from 61.219.179.5 port 48002 ssh2
Sep 11 12:21:19 cmsivr sshd[20483]: Received disconnect from 61.219.179.5: 11:
Sep 11 12:23:06 cmsivr sshd[21634]: Invalid user ubnt from 61.219.179.5
Sep 11 12:23:06 cmsivr sshd[21635]: input_userauth_request: invalid user ubnt
Sep 11 12:23:06 cmsivr sshd[21634]: pam_unix(sshd:auth): check pass; user unknown
Sep 11 12:23:06 cmsivr sshd[21634]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.219.179.5
Sep 11 12:23:06 cmsivr sshd[21634]: pam_succeed_if(sshd:auth): error retrieving information about user ubnt
Sep 11 12:23:09 cmsivr sshd[21634]: Failed password for invalid user ubnt from 61.219.179.5 port 48053 ssh2
Sep 11 12:23:09 cmsivr sshd[21635]: Received disconnect from 61.219.179.5: 11:
Sep 11 13:02:07 cmsivr sshd[12294]: Invalid user admin from 77.72.82.39
Sep 11 13:02:07 cmsivr sshd[12295]: input_userauth_request: invalid user admin
Sep 11 13:02:07 cmsivr sshd[12294]: pam_unix(sshd:auth): check pass; user unknown
Sep 11 13:02:07 cmsivr sshd[12294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=77.72.82.39
Sep 11 13:02:07 cmsivr sshd[12294]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Sep 11 13:02:09 cmsivr sshd[12294]: Failed password for invalid user admin from 77.72.82.39 port 53684 ssh2
Sep 11 13:02:14 cmsivr sshd[12294]: pam_unix(sshd:auth): check pass; user unknown
Sep 11 13:02:14 cmsivr sshd[12294]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Sep 11 13:02:16 cmsivr sshd[12294]: Failed password for invalid user admin from 77.72.82.39 port 53684 ssh2
Sep 11 13:02:18 cmsivr sshd[12294]: pam_unix(sshd:auth): check pass; user unknown
Sep 11 13:02:18 cmsivr sshd[12294]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Sep 11 13:02:20 cmsivr sshd[12294]: Failed password for invalid user admin from 77.72.82.39 port 53684 ssh2
Sep 11 13:02:20 cmsivr sshd[12295]: Connection closed by 77.72.82.39
Sep 11 13:02:20 cmsivr sshd[12294]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=77.72.82.39
Sep 12 16:28:42 cmsivr sshd[2798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=root
Sep 12 16:28:44 cmsivr sshd[2798]: Failed password for root from 192.168.1.1 port 58737 ssh2
Sep 12 16:28:50 cmsivr sshd[2798]: Failed password for root from 192.168.1.1 port 58737 ssh2
Sep 12 16:29:00 cmsivr sshd[2798]: Accepted password for root from 192.168.1.1 port 58737 ssh2
Sep 12 16:29:00 cmsivr sshd[2798]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 12 17:19:23 cmsivr login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Sep 12 17:19:23 cmsivr login: ROOT LOGIN ON tty1
Sep 12 17:22:03 cmsivr sshd[2316]: Invalid user 0 from 5.188.10.182
Sep 12 17:22:03 cmsivr sshd[2317]: input_userauth_request: invalid user 0
Sep 12 17:22:03 cmsivr sshd[2316]: Failed none for invalid user 0 from 5.188.10.182

kaushalpatel1982 · 09-14-2018, 02:05 AM

1. This machine might expose SSH port to the internet. You should stop ssh access on internet right away.

2. If Server is flooding network then try tcpdump or wireshark to find what kind of traffic it is. Check which service is causing this traffic. You can do this troubleshooting by isolating server. connect laptop on the port and check what is happening in the network.

wpeckham · 09-14-2018, 04:12 AM

Quote:

Originally Posted by kaushalpatel1982

1. This machine might expose SSH port to the internet. You should stop ssh access on internet right away.

unless your access is ssh from the internet. Then install and configure fail2ban to dictionary attacks quickly block.

Quote:

2. If Server is flooding network then try tcpdump or wireshark to find what kind of traffic it is. Check which service is causing this traffic. You can do this troubleshooting by isolating server. connect laptop on the port and check what is happening in the network.

Always good advice to detect and decode packet traffic. It ONLY helps if there is real packet traffic and not "noise" flooding the link, AND if you understand or have documentation on packet structures.

imtiazb · 09-14-2018, 05:29 AM

please expalin little more with examples:

TB0ne · 09-14-2018, 06:44 AM

Quote:

Originally Posted by imtiazb

please expalin little more with examples:

If you're the administrator, and were hired to perform this implementation, it's odd that you don't know how to perform diagnostics. While I realize the machine is in a remote location, if this is 'urgent', you need to ACT like it's urgent. Either GO THERE, and work the problem until it's fixed, or get someone dedicated on site to do things for you.

If you get someone on site, just have them shut off SSH and see what happens. And as you were told, run network diagnostics and FIND OUT what kind of traffic is causing the problem. You were given the names of the utilities, and suggestions...it's now time for you to actually do something with them.

imtiazb · 09-14-2018, 12:00 PM

thanjs, will send some network guy to perform online duagnistics as guided.