"No Mail" When Rebooting Etch Server

Discussion in 'Server Operation' started by tcroteau, Dec 9, 2007.

  1. tcroteau

    tcroteau New Member

    Hello,
    Thanks in advance for reading through this post.

    This morning, all of a sudden, I can no longer send/receive email using Evolution via Ubuntu (my client) using an email account I've been using successfully since the installation/configuration of my Debian Etch LAMP server. I can, however access this email account via SquirrelMail.

    I've checked through the following logs:

    auth.log
    *I was being hammered by a Brute Force attack (I believe) so I blocked the IP who was slamming my server every two minutes trying different usernames.

    mail.info
    I noticed that every 30 minutes an email was sent by a user account that should not be sending system-level alert emails. I believe these coincide with emails I received every half-hour this morning:

    Warning: service httpd not running (server: <server>)!

    Message generated at December 9, 2007, 9:00.


    I deleted the user account shown in the mail.info log and tried to restart HTTPD but to no avail.


    syslog
    9 13:37:58 <hostname> ntpd[2436]: no servers reachable
    *This was distressing to me

    I'm still in the learning process administering a Linux box so I'm not the most advanced "detective" in deciphering the logs.

    Secondly, when rebooting (multiple times), under the "ABSOULTELY NO WARRANTY" blurb, it displayed:
    No mail.

    Also, when I accessed ISPConfig, under Management --> Server --> Services, SMTP was offline even though the SMTP Server drop-down menu showed it was "On". I restarted it and in this same panel, SMTP-Server status became "Online".

    Furthermore, I cannot access my websites. I'm accessing ISPConfig via my LAN.

    Any thoughts? Ideas? I'd be happy to post any log info necessary as this seems to be beyond me.

    Thanks!!

    Tom
     
  2. tcroteau

    tcroteau New Member

    UPDATE:
    My server is now working again... all of a sudden. Email is coming through and I can hit all my sites. I did nothing but walk away (and watch my pathetic Lions give one away to the Cowboys... thank goodness I'm a Red Wings fan...).

    Tom
     
  3. tcroteau

    tcroteau New Member

    UPDATE II
    Same issue again. Can't ping, can't see sites, no email....

    Anybody?
     
  4. falko

    falko Super Moderator ISPConfig Developer

    Any errors in your mail log and Apache error log? What's the output of
    Code:
    netstat -tap
    and
    Code:
    iptables -L
    ? do you use Denyhosts/fail2ban/Blockhosts to block brute-force attacks?
     
  5. tcroteau

    tcroteau New Member

    Falko,
    Thanks for taking the time to reply to my post. Here are the outputs you requested:


    <servername>:~# netstat -tap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 *:4130 *:* LISTEN 2423/rpc.statd
    tcp 0 0 *:mysql *:* LISTEN 2108/mysqld
    tcp 0 0 *:sunrpc *:* LISTEN 1865/portmap
    tcp 0 0 *:81 *:* LISTEN 2539/ispconfig_http
    tcp 0 0 *:auth *:* LISTEN 2290/inetd
    tcp 0 0 *:ftp *:* LISTEN 17681/proftpd: (acc
    tcp 0 0 WAN IP:domain *:* LISTEN 2825/named
    tcp 0 0 xxx.xxx:domain *:* LISTEN 2825/named
    tcp 0 0 localhost.locald:domain *:* LISTEN 2825/named
    tcp 0 0 *:smtp *:* LISTEN 17630/master
    tcp 0 0 localhost.localdoma:953 *:* LISTEN 2825/named
    tcp 73149 0 WAN IP:4076 194.47.250.218:www ESTABLISHED2855/freshclam
    tcp6 0 0 *:imaps *:* LISTEN 2257/couriertcpd
    tcp6 0 0 *:pop3s *:* LISTEN 2276/couriertcpd
    tcp6 0 0 *:pop3 *:* LISTEN 2262/couriertcpd
    tcp6 0 0 *:imap2 *:* LISTEN 2245/couriertcpd
    tcp6 0 0 *:www *:* LISTEN 2707/apache2
    tcp6 0 0 *:ssh *:* LISTEN 2380/sshd
    tcp6 0 0 *:smtp *:* LISTEN 17630/master
    tcp6 0 0 ip6-localhost:953 *:* LISTEN 2825/named
    tcp6 0 0 *:https *:* LISTEN 2707/apache2
    tcp6 0 0 <servername>.<domain>:ssh ::ffff:192.168.2.:58022 ESTABLISHED27194/0

    ---------------------------------

    :~# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere loopback/8
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT 0 -- anywhere anywhere
    DROP 0 -- 224.0.0.0/4 anywhere
    PUB_IN 0 -- anywhere anywhere
    PUB_IN 0 -- anywhere anywhere
    PUB_IN 0 -- anywhere anywhere
    PUB_IN 0 -- anywhere anywhere
    DROP 0 -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    DROP 0 -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT 0 -- anywhere anywhere
    PUB_OUT 0 -- anywhere anywhere
    PUB_OUT 0 -- anywhere anywhere
    PUB_OUT 0 -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP 0 -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere

    Chain PAROLE (9 references)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere

    Chain PUB_IN (4 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:www
    PAROLE tcp -- anywhere anywhere tcp dpt:81
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:webmin
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    DROP icmp -- anywhere anywhere
    DROP 0 -- anywhere anywhere

    Chain PUB_OUT (4 references)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere

    I do not use Denyhosts/fail2ban/Blockhosts to block brute-force attacks. To be honest, I don't know anything about them, though because you mentioned them, you can rest assured I'm going to.

    Thanks again, Falko!!!

    Tom
     
  6. tcroteau

    tcroteau New Member

    Falko,
    Thanks for the fail2ban info (and howto). I installed it. Do you think my issue(s) per my initial post are a result of Brute Force Attacks?

    Thanks very much for your time and attention to this matter.

    Tom
     
  7. falko

    falko Super Moderator ISPConfig Developer

    Is your server in your local network, or is it remote? If it's a remote server, and you're having dynamic IP addresses with your internet connection, it's possible that you got an IP address used by an attacker before; if that IP address was banned by fail2ban, then you cannot connect to your server until you get a new IP address.
     
  8. tcroteau

    tcroteau New Member

    Is your server in your local network, or is it remote?
    I have 2 NICs; 1 LAN and 1 WAN

    If it's a remote server, and you're having dynamic IP addresses with your internet connection, it's possible that you got an IP address used by an attacker before;
    I use static for both LAN and WAN

    if that IP address was banned by fail2ban, then you cannot connect to your server until you get a new IP address.
    they are not banned

    ---------

    It's very strange. I can currently hit the sites and receive email but sporadically the site(s) may not load. I'm baffled.

    Thanks for all your help, Falko.
     

Share This Page