various security problem

[fxs]

Hi,
Happy new year
I’m not a server administration but I rent mid-december a dedicated server in France at OVH with debian 6 with ispconfig 3.0.4.1 (EG SSD). thanks for your work.

First question, I think the distribution I received has some modifications. Please, could you confirm that this message is not important:
Error: (CLI:003) Specified controller does not exist.
PHP Warning: Invalid argument supplied for foreach() in /usr/local/ispconfig/server/lib/classes/monitor_tools.inc.php on line 1072
FATAL: Could not load /lib/modules/2.6.38.2-grsec-xxxx-grs-ipv6-64/modules.dep: No such file or directory
Failed to load mptctl

Second question last week there were some attacks (especially in the mailing system), but I didn’t pay attention because we don’t use too much and everything seems to work.
The 22th December, according logwatch, everything was ok
Amavisd-new Begin:
13 messages checked and passed.
4 spam messages were found.
1 messages with bad headers were found.
The 23th December,
Amavisd-new Begin:
20 messages checked and passed.
2 spam messages were found.
**Unmatched Entries**
NOTICE: reconnecting in response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server has gone away at (eval 103) line 166, <GEN147> line 4.: 1 Time(s)
And worst and worst ……
And now in the mail warn log, I have:
an 1 06:26:12 nsxxx amavis[2866]: (02866-02) (!)ClamAV-clamd: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Aucun fichier ou dossier de ce type, retrying (2)
Jan 1 06:26:12 nsxxxx amavis[9430]: (09430-20) (!)ClamAV-clamd: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Aucun fichier ou dossier de ce type, retrying (2)
Jan 1 06:26:18 nsxxx amavis[2866]: (02866-02) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Aucun fichier ou dossier de ce type) at (eval 105) line 373.\n
Jan 1 06:26:18 nsxxx amavis[2866]: (02866-02) (!!)WARN: all primary virus scanners failed, considering backups
Please, could you confirm me Clamav didn’t work any more and tell me how to fix that without disturbing ispconfig / which package version (server is working full)

Third, I saw there are firewall and iptable inside ispconfig, but the manual is not too much verbose. Does it work like shorewall? If not, can I install shorewall without disturbing ISPCONFIG3? I would like to ban manually some ip. Is this possible to perform with ISPCONFIG? Is the a tuto specifically to ispconfig?

thanks for your answers.
regards

[till]

None of the above is a real security problem, the things you posted above is the normal "noise" that you find in the log files and no attacks on your server.

1) Thats ok. There is some driver software installed on your server but the hardware is not installed. Thats normal on OVH servers as they use the same server image for different servers. This can be ignored.

2) Restart clamd

3) ISPConfig uses the Bastille firewall script which is based on iptables. You can use any firewall on a ispconfig server, just ensure that you do not enable the ispconfig firewall when you have already a different firewall installed.

[fxs]

Thanks for the answer.
Unfortunately, clamAV does not work any more
Tried to reastall the whole thing according the tuto.
Get some error message.
Get:
dpkg -l | grep clamav
ii clamav 0.97.2+dfsg-1~squeeze1 anti-virus utility for Unix command-line interface
ii clamav-base 0.97.3+dfsg-1~lenny1 anti-virus utility for Unix - base package
rc clamav-daemon 0.97.2+dfsg-1~squeeze1 anti-virus utility for Unix - scanner daemon
ii clamav-docs 0.97.3+dfsg-1~lenny1 anti-virus utility for Unix - documentation
ii clamav-freshclam 0.97.2+dfsg-1~squeeze1 anti-virus utility for Unix - virus database update utility
ii libclamav6 0.97.2+dfsg-1~squeeze1 anti-virus utility for Unix - library
Is it the source of the problem and how to fix that? What is the command related?

Logwatch:
**Unmatched Entries**
(!!)WARN: all primary virus scanners failed, considering backups: 4 Time(s)
(!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Aucun fichier ou dossier de ce type) at (eval 105) line 373.\n: 4 Time(s)
(!)ClamAV-clamd: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Aucun fichier ou dossier de ce type, retrying (2): 4 Time(s)
NOTICE: reconnecting in response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server has gone away at (eval 103) line 166, <GEN72> line 4.: 1 Time(s)
NOTICE: reconnecting in response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server has gone away at (eval 103) line 166, <GEN91> line 5.: 1 Time(s)
NOTICE: reconnecting in response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server has gone away at (eval 103) line 166, <GEN122> line 4.: 1 Time(s)

Thanks

[falko]

Please restart MySQL.

Please check your clamd configuration to find out where the socket is located and then adjust the socket location in your amavisd configuration. Restart amavisd afterwards.

[fxs]

Hi,
I get some error message.
At the begining, the passord root and the mysql were the same.
Then I change the root password (not the mysql)- i don't remember when.
Could be at the origin of the problem?
What should I do to fix that?
Should I change the word 'root' by the "new password root" in /usr/local/ispconfig/server/lib/mysql_clientdb.conf (even if it works well for all the website and forum and i believe (wrong?) rootsw mean the same value than there is in the system)
regards

[falko]

If the MySQL root password is unchanged, there should be no problem.

[fxs]

The things get worst and worst...

Mail-Error - Log

Code:

Jan 1 06:26:18 xxxxx    amavis[2866]: (02866-02) (!!)WARN: all primary virus scanners failed, considering backups
…………………………………
Jan 4 10:12:48 xxxxx   amavis[2912]: (02912-06) (!!)TROUBLE in process_request: connect_to_sql: unable to connect to any dataset at (eval 103) line 241, line 4. at (eval 104) line 280, line 4.
……………………………………
Jan 4 20:12:40 xxxxx postfix/smtp[30172]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 4 20:12:41 xxxxxxx postfix/error[30175]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 4 20:12:42 xxxxxx  postfix/qmgr[9610]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem

Mail-Warn - Log

Code:

Jan 4 20:39:02 xxxx amavis[8868]: (08868-05) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Aucun fichier ou dossier de ce type) at (eval 105) line 373.\n
Jan 4 20:39:02 xxxx amavis[8868]: (08868-05) (!!)WARN: all primary virus scanners failed, considering backups
Jan 4 20:39:02 xxxxx amavis[30174]: (30174-02) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Aucun fichier ou dossier de ce type) at (eval 105) line 373.\n
Jan 4 20:39:02 xxxxx  amavis[30174]: (30174-02) (!!)WARN: all primary virus scanners failed, considering backups
……………………………………………………..
Jan 4 20:12:40 xxxxx amavis[8869]: (08869-04) (!)Requesting process rundown after fatal error
Jan 4 20:12:40 xxxxx postfix/smtp[30172]: warning: connect to mysql server 127.0.0.1: Can't connect to MySQL server on '127.0.0.1' (111)
Jan 4 20:12:40 xxxxx postfix/smtp[30172]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 4 20:12:41 xxxxx postfix/qmgr[9610]: warning: private/amavis socket: malformed response
Jan 4 20:12:41 xxxxx postfix/qmgr[9610]: warning: transport amavis failure -- see a previous warning/fatal/panic logfile record for the problem description
Jan 4 20:12:41 xxxxx postfix/master[10836]: warning: process /usr/lib/postfix/smtp pid 30172 exit status 1
Jan 4 20:12:41 xxxxx postfix/master[10836]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling
Jan 4 20:12:41 xxxxx postfix/error[30175]: warning: connect to mysql server 127.0.0.1: Can't connect to MySQL server on '127.0.0.1' (111)
Jan 4 20:12:41 xxxxx postfix/error[30175]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 4 20:12:42 xxxxx postfix/qmgr[9610]: warning: private/retry socket: malformed response
Jan 4 20:12:42 xxxxx postfix/qmgr[9610]: warning: transport retry failure -- see a previous warning/fatal/panic logfile record for the problem description
Jan 4 20:12:42 xxxxx postfix/master[10836]: warning: process /usr/lib/postfix/error pid 30175 exit status 1
Jan 4 20:12:42 xxxxx postfix/master[10836]: warning: /usr/lib/postfix/error: bad command startup -- throttling
Jan 4 20:12:42 xxxxx postfix/qmgr[9610]: warning: connect to mysql server 127.0.0.1: Can't connect to MySQL server on '127.0.0.1' (111)
Jan 4 20:12:42 xxxxx postfix/qmgr[9610]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 4 20:12:43 xxxxx postfix/master[10836]: warning: process /usr/lib/postfix/qmgr pid 9610 exit status 1
Jan 4 20:16:44 xxxxx amavis[8868]: (08868-04) (!)ClamAV-clamd: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Aucun fichier ou dossier de ce type, retrying (2)

I tried to install again:

Code:

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

restart mysql and get this message

Code:

 /etc/init.d/mysql restart
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..

Then I got panic and restart apache 2 (dont't ask why)

Code:

Restarting web server: apache2[Wed Jan 04 21:17:09 2012] [warn] NameVirtualHost   xxxxx:80 has no VirtualHosts
[Wed Jan 04 21:17:09 2012] [warn] NameVirtualHost xxxxx:443 has no VirtualHosts
 ... waiting [Wed Jan 04 21:17:10 2012] [warn] NameVirtualHost xxxxx:80 has no VirtualHosts
[Wed Jan 04 21:17:10 2012] [warn] NameVirtualHost xxxxx:443 has no VirtualHosts

root@nsxxxxx:/etc/apache2# grep -i "NameVirtualHost" *
ports.conf:NameVirtualHost *:80
ports.conf:    # If you add NameVirtualHost *:443 here, you will also have to change

I had a look at # netstat -tap | grep mysql

Code:

tcp        0      0 *:mysql                 *:*                     LISTEN      5869/mysqld
tcp        1      0 localhost.localdo:41473 localhost.localdo:mysql CLOSE_WAIT  8868/amavisd (ch5-a
tcp        1      0 localhost.localdo:59140 localhost.localdo:mysql CLOSE_WAIT  30174/amavisd (ch3-
tcp        1      0 localhost.localdo:59140 localhost.localdo:mysql CLOSE_WAIT  30174/amavisd (ch3

By now I'm taking some Valium to be quiet for the rest of the week.

Is there a way to fix this mess?

thanks

regards

[till]

1) apache is fine. What you posted above are no errors.
2) Your email problems are most likely related to mysql problems. Try to login to mysql with the username and password that you find in the files /etc/postfix/mysql-virtual_forwardings.cf o check if the login works.
3) restart dovecot.

[fxs]

Hi,

you're absolutely right.
I open the file and try to connect with the username and password (original/never changed)

Code:

root@xxxxx:~# mysql --user=xxxxx--password=xxxxxxx
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)

So that what I should do?
thanks
best regards

[till]

Please post the mysql my.cnf configuration file. The path is either in /etc/my.cnf or /etc/mysql/my.cnf

Additionally post the output of:

ls -la /var/run/mysqld/