Being Spammed/Hacked/Probed not sure PLEASE HELP!

Discussion in 'General' started by kresser, Oct 26, 2010.

  1. kresser

    kresser New Member

    I am really concerned as I have quite a few clients on an ISP config server and honestly I'm a little fresh when it comes to dealing with Internet vandals, maintenance and building I'm fine but I'm not real keen on how to protect. I've built several ISP config servers and this is the first time I've been getting attacked, so I think. Fail2ban has been repeatedly blocking IP addresses with the word SSH next to the IP address which I'm assuming means I've had repeated failed SSH login attempts.

    I have been taking all of those IP addresses that show up and creating an individual firewall rule to reject communication. I have looked at some of my individual site records and found where what looks like someone has been probing for my PHPmyadmin management pages,as well as other Internet configuration and management pages.

    I am also seeing tons of communication from spamming sites in foreign countries such as Germany, Russia, Belgium, and many many more.

    Here recently many of my users across all of my virtual domains have been experiencing " 500 error, internal server error" mostly through my e-mail client roundcube, I run that as well as squirrel mail, PHPmyadmin and all the basic tools used in the Debian Lenny "the perfect server how to".

    I really need some assistance in figuring out a proactive way to stop communication with the sites, may be blacklisting the domains and the proper way to restrict these addresses. I have found where to blacklist e-mail accounts, however I don't see such a tool to block domains.

    It would be cool if someone could share with me how to implement a script where after a certain number of repeated communication attempts through different channels such as SSH or unauthorized SSL or username probing that that particular client would be blocked permanently from communication.

    I am including some of the log files so maybe someone can help me make sense of this. The IP addresses included in the logs are not any of my personal addresses for this platform.

    The Main reason I need help others than the clarification on the log files and what to do is what's going on with the internal server error 500. I need to get rid of that where my clients stop having problems. here are the log files and where they came from.

    "mail warn-log"
    "fail2ban" - There is close to 100 of these over the last week
    Site error log - note the config page errors, I never tried to get into management pages through this domain and as a matter of fact their blocked, is someone probing??
    More for the same site, I used net tools to check the ip's and they are coming from Germany and Russia mostly, whats going on??


    Please help explain this and what to do, its happening all over my server and my clients that run businesses on this are having the 500 errors, for give me for being ignorant but you have to learn somehow right?
     
  2. kresser

    kresser New Member

    Proxy Servers...

    I can see some of these people are using non-logging/private proxy servers and thats an indicator to me that they are up to no good......advice???
     
  3. mini14

    mini14 New Member

    You can permanently block the offending IP numbers and even the class C that they are part of if you want to. Edit the file "pre-chain-split.sh" that's located in /etc/Bastille/firewall.d

    Add lines like this to it...

    iptables -A INPUT -s xx.xxx.xx.0/24 -j DROP
    (blocks the class C)
    iptables -A INPUT -s xx.xxx.xx.x -j DROP
    (blocks the individual IP)

    Then restart Bastille with /etc/init.d/bastille-firewall restart
     
  4. kresser

    kresser New Member

    Thank you but I still need a bunch of help

    I appreciate that tip but is there anyone that can give me some insight as to what these logs are suggesting, I would appreciate a brief run through of what a professional administrator sees here. I am only an intermediate IT guy, I'm not very familiar with defending complex platforms, which I know sounds dumb but like I said you have to learn somehow right?

    Also this is very important, I myself and all of my clients are receiving an "internal server error 500" every few days and I need to know if thats a separate problem and where to start on fixing it. I already removed all of the .htaccesss files in the site dirs thinking that was it but no luck.

    AND one other important thing, I can only enable 1 SSL site in the configs, I have each site that needs SSL set up on a separate ip add but when I get the first working and I enable the second apache crashes and says "address already in use" cannot bind or something like that, if anyone could please help with these issues I would greatly appreciate it!
     
  5. kresser

    kresser New Member

    Actually ispconfig 3, not 2

    My bad I put this in the wrong thread, I'm using ispconfig 3 not 2.....
     
  6. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I wouldn't worry too much abouzt being probed - that's happening to EVERY server on the Internet. As long as you use fail2ban and secure passwords you should be fine.

    Regarding the 500 server error: are there any errors in Apache's error log?
     
  7. kresser

    kresser New Member

    Apaches Error Logs

    Here is Apaches most current logfile, a bunch more junk being messed with it looks like...... also other than the 500 error, which is a big problem right now, I needed help figuring out why I can only enable 1 SSL site, I have certs I've bout that I cant use because apache throws a fit.......

     
  8. kresser

    kresser New Member

    Yesterdays Mail Logs

    Its crazy how for months and months nobody messed with me and then bam, trouble everywhere....

    This showed up inn my mail logs yesterday and I'm curious as to maybe if all of these scanners and hack tools being used on my server is causing the ram in it to get ate up and thats where these errors came from, I dunno...

    Falko your help would be greatly appreciated....

     
  9. mini14

    mini14 New Member

    On the certs.. You have more than one IP number right? You can only use one cert per IP number.

    The logs look like what most of us running serves see fairly regularly. These probes come and go kinda in waves from my experience (Been running my own webservers since 2000)

    As to your specific problem with 500 errors, If these errors occur while valid users attempting to access their websites then I'm not sure where to point you...if they are just random 500 errors showing up in your log files then that may be a result of these probers trying to "form feed" an existing script on your server with data that causes the script to barf. That would be a good thing actually as it shows that their attempts are futile.

    Just my input.. hope it helps.
     
  10. kresser

    kresser New Member

    Certs and probes

    Once again thanks for your input.

    I have 7 ip's allocated to this server, one main ip running the mta for all the virtual domains included in the mysql database, the mtas ip is the same hosting the second website needing the SSL Cert installed, that being because the FQDN of the mail server is part of that root domain, I have another client site setup on a diff ip with an installed cert that works fine, when I turn on SSL for the virtualhost record that i want to also have SSL apache immediately takes a crap and shuts down, upon trying to restart the service it says fatal bind error: address already in use. I have to ssh into the server an remove the SSL option from the vhosts record and restart apache for everything to come back online. Now my question is, is the problem because ispconfigs main ip is the same one as the mta and the same one of this domain I'm trying to enable it for?

    About the probing and 500 error, I was wondering if the people trying to force-feed my server these scripts is what is causing it to throw my clients 500 errors upon logging into their mailboxes and folder refreshes. I never had the 500 error problem until my server started getting slammed.......
     
  11. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    What is the exact error message of the 500er errors on the websites? You will find these errors in the error.log of the site where the error was displayed.

    you can have as many ssl sites on a server as IP addresses are assigned to that server. thats a limitation of the ssl pĆ¼rotocol and not specific to ispconfig. Just ensure that you select a dediacted IP for every site that shall have ssl enabled.

    Regarding the probing of your server, thats normal and happens to every server that is connected to the internet all day long. So nothing to worry about. Just ensure that you keep your server updated and that you also run up to date versions of the cms systems that you have installed in your websites.
     

Share This Page