* Would a DOS on dovecot running under a VM cause host to crash?
@ 2013-06-20 22:27 Hugh Davenport
2013-06-21 8:21 ` Michael Tokarev
2013-06-24 9:15 ` Stefan Hajnoczi
0 siblings, 2 replies; 4+ messages in thread
From: Hugh Davenport @ 2013-06-20 22:27 UTC (permalink / raw)
To: kvm
Hey All,
I'm just wondering whether this is what caused my server to crash.
Started last night in NZ land.
Jun 20 19:22:11 elm dovecot: imap-login: Disconnected (tried to use
disallowed plaintext auth): user=<>, rip=attackerip, lip=10.0.0.3,
session=<0C8LzpDfZQDINsQC>
occasionally get
Jun 20 19:22:52 elm dovecot: imap-login: Disconnected (no auth attempts
in 1 secs): user=<>, rip=attackerip, lip=10.0.0.3,
session=<bHdz0JDfpwDINsQC>
or in 0 secs
last at
Jun 20 19:26:24 elm dovecot: imap-login: Disconnected (tried to use
disallowed plaintext auth): user=<>, rip=attackerip, lip=10.0.0.3,
session=<1MUR3ZDfcwDINsQC>
and a minute later the server lost contact to the world. When I checked
a bit later,
the underlying host machine (dovecot runs on a VM (KVM)) had been
powered off.
Now, here in NZ land, there was also a crazy storm last night, and lots
of brown outs.
There could potentially of been a surge that killed it, but the UPS was
still running
fine when I started it again.
The "attack" lasted around 4 minutes, in which there was 1161 lines in
the log for a
single attacker ip, and no other similar logs previously.
Would this be enough to kill not only the VM running dovecot, but the
underlying host
machine?
All up to date with patches, running debian stable (wheezy).
dovecot-core debian package version 1:2.1.7-7
dovecot version 2.1.7
I notice there is a version 2.2.3 out, but not in debian yet. Could this
fix this
issue? I don't particularly want to have it happen again :D.
The host is running debian oldstable (squeeze), so could update more.
libvirt0 debian package version 0.8.3-5+squeeze5
libvirt version 0.8.3
I notice there is a version 1.0.6 out (debian stable only has
0.9.12-11+deb7u1, which
is 0.9.12), would either of these versions fix an issue like this?
qemu-kvm debian package version 0.12.5+dfsg-5+squeeze10
kernel is 2.6.32-5-amd64
Any thoughts?
Cheers,
Hugh
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Would a DOS on dovecot running under a VM cause host to crash?
2013-06-20 22:27 Would a DOS on dovecot running under a VM cause host to crash? Hugh Davenport
@ 2013-06-21 8:21 ` Michael Tokarev
2013-06-24 9:15 ` Stefan Hajnoczi
1 sibling, 0 replies; 4+ messages in thread
From: Michael Tokarev @ 2013-06-21 8:21 UTC (permalink / raw)
To: Hugh Davenport; +Cc: kvm
21.06.2013 02:27, Hugh Davenport wrote:
> Hey All,
>
> I'm just wondering whether this is what caused my server to crash.
If some activity in a virtual machine causes the host to crash, it is
a serious bug in qemu/kvm which should be identified fixed.
Thanks,
/mjt
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Would a DOS on dovecot running under a VM cause host to crash?
2013-06-20 22:27 Would a DOS on dovecot running under a VM cause host to crash? Hugh Davenport
2013-06-21 8:21 ` Michael Tokarev
@ 2013-06-24 9:15 ` Stefan Hajnoczi
2013-06-24 10:24 ` Hugh Davenport
1 sibling, 1 reply; 4+ messages in thread
From: Stefan Hajnoczi @ 2013-06-24 9:15 UTC (permalink / raw)
To: Hugh Davenport; +Cc: kvm
On Fri, Jun 21, 2013 at 10:27:07AM +1200, Hugh Davenport wrote:
> The "attack" lasted around 4 minutes, in which there was 1161 lines
> in the log for a
> single attacker ip, and no other similar logs previously.
>
> Would this be enough to kill not only the VM running dovecot, but
> the underlying host
> machine?
Have you checked logs on the host? Specifically /var/log/messages for
seg fault messages or Out-of-Memory Killer messages.
It's also worth checking /var/log/libvirt/qemu/<domain>.log if you are
using libvirt. That file contains the QEMU stderr output.
Stefan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Would a DOS on dovecot running under a VM cause host to crash?
2013-06-24 9:15 ` Stefan Hajnoczi
@ 2013-06-24 10:24 ` Hugh Davenport
0 siblings, 0 replies; 4+ messages in thread
From: Hugh Davenport @ 2013-06-24 10:24 UTC (permalink / raw)
To: Stefan Hajnoczi; +Cc: kvm
Checked the main logs. No go. Didn't check qemu logs. Will do that.
I'm starting to think it was the power as when I turned of the UPS as a test. The server shutdown as well... Will get that fixed.
Cheers,
Hugh
Stefan Hajnoczi <stefanha@gmail.com> wrote:
>On Fri, Jun 21, 2013 at 10:27:07AM +1200, Hugh Davenport wrote:
>> The "attack" lasted around 4 minutes, in which there was 1161 lines
>> in the log for a
>> single attacker ip, and no other similar logs previously.
>>
>> Would this be enough to kill not only the VM running dovecot, but
>> the underlying host
>> machine?
>
>Have you checked logs on the host? Specifically /var/log/messages for
>seg fault messages or Out-of-Memory Killer messages.
>
>It's also worth checking /var/log/libvirt/qemu/<domain>.log if you are
>using libvirt. That file contains the QEMU stderr output.
>
>Stefan
>--
>To unsubscribe from this list: send the line "unsubscribe kvm" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-06-24 10:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-20 22:27 Would a DOS on dovecot running under a VM cause host to crash? Hugh Davenport
2013-06-21 8:21 ` Michael Tokarev
2013-06-24 9:15 ` Stefan Hajnoczi
2013-06-24 10:24 ` Hugh Davenport
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox