my 1and1.com vps, according to the tech person at 1and1.com is coming under, i think he called it brute force attack from various places like china etc, and is shutting down my forum..
you might be better served to install a firewall that wraps the IPTables and has a very easy interface..
CSF firewall.. also handles the brute force crap that is inevitable on ANY server on the NET...
lots of things can be done.. ie: change your SSH port from 22 to a non standard... don't allow root SSH at all.. make them 'su' after login... and much more
i have the firewall automatically ban 'bad guys' and email me about it... makes for major peace of mind..
I usually have taiwan, china and ukraine dudes running automated scanners and most servers have the same.. just have a good security setup... STRONG passwords and you'll be fine
if his site is hosted on 1and1, shouldn't they be handling that?
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
I know when I see things like what you are talking about, I start blocking IP ranges in .htaccess
when I start seeing questionable errors, etc, I check the IP address against various databases to see if they are a known spammer or the like.
I also use a very old script called guardian from xav.com that allows me to add filters, so if someone is probing my site for known hacks and they match my filters, they get hit with a DOS and are automatically locked out of the site. anything that doesn't match an existing condition I get notified about so I can check it out.
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
I'm on a virtual server, my htaccess in my root directory, vannin.com/.htaccess - same folder as your maine index page, robots.txt, etc.
I have it blocked so you can't browse it.
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
well if it is all the sites on their server, it is their problem, not much you can do about it except yell at them, and they are such a huge company, I don't think that will work to well.
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
.htaccess does not cover your server root. For that you need to do a hosts deny file setup and that does not cover web browsers. the host.deny file only covers stuff like FTP, SSH, Telnet, and other resource servers on your server.
The cover it all you need to do both the host.deny and .htaccess
but the host.deny needs to be done by 1and1 correct? he can't access that. ?
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
Once I get their list I put it into a script file and run it on the server. Something like this:
Code
#!/bin/bash
# china blocklist
# generated from http://blacklists.linuxadmin.org
/sbin/iptables -A INPUT -p tcp -s 58.14.0.0/15 --dport 22 -j REJECT
/sbin/iptables -A INPUT -p tcp -s 58.16.0.0/13 --dport 22 -j REJECT
/sbin/iptables -A INPUT -p tcp -s 58.24.0.0/15 --dport 22 -j REJECT
A few other things is I move my default SSH port. This helps tremendously. On my server it is controlled in the file /etc/ssh/sshd_config
I changed or added this line. Except I used my secret numbers. These are not the actual numbers I used.
Code
Port 1234
You may also want to consider moving your FTP ports as well. You can also do port scans against your server to see what is obviously visible to a hacker. There are tools for that at Sourceforge.net
the BIG thing and many don't do it is to set a VERY STRONG root password!! not like sirdude1234, which is gonna get cracked.. try something more like x?FHU%hJeIB}lFB9;b which is impossible to brute force
also.. don't allow root to SSH in.. force them to login with non privileged on a non standard port (like chep says above) then su to root...
That looks like more than what I usually need. A couple of other things I do is - write a script to generate some logs and grovel them and email myself a relevant report.
I like to look at lastb command output as well as the bash_history and secure log. In case someone breaks in I might capture what they were doing. Looking at the secure logs will show you who is trying to break in sometimes. Of course I would also agree with the advice of a very strong password.
Yeah, don't forget to lock the barn after the horse gets out.
Looking at the logs to see what they do after they break in after watching them try forever is a great idea. If they can break in they can cover their tracks and only let you see what they want to let you see and may have done other things to aide them and you would never know it.
If you notice someone persistent in getting in it is best to block them and not wait till after they got in as if they were persistent then they are not just out to check out your server they are looking to do things to it you wouldn't like.
Good luck with that. I will be looking forward to getting spam from your server on behalf of those whom broke in some day.
my theory, if it looks even remotely like an attack, or someone probing for weak spots, ban the IP. if it is a legit user, they can contact me and we can sort it out.
I still get (failed) attempts from content spammers, I ban their IP anyway.
"No matter where you go, there you are." "If you can't do something smart, Do something right" "There are three kinds of people in the world, those who can count, and those who can't"
Guys let's stop beating up on 1and1 and give him some help, huh? Telling him 1and1 sucks doesn't fix his problem or answer what he cae here to find out.
Stan, SirDude has offered the best help. You could .htaccess but that means maintaining it, and it means apache has to serve the request and take up resources. It also doesn't protect brute force attacks on your FTP server, Mail server, and a number of other services. What I see here isn't a fix-all, but it should help.
IPtables, if done right, can prevent any access at all, thus mitigating brute force attacks.
Next, test whether you have the required iptables modules:
perl /etc/csf/csftest.pl
Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
You should not run any other iptables firewall configuration script. For example, if you previously used APF+BFD you can remove the combination (which you will need to do if you have them installed otherwise they will conflict horribly):
sh /etc/csf/remove_apf_bfd.sh etc etc etc
I am only a humble macintosh guy, never learned command
I will be looking forward to getting spam from your server on behalf of those whom broke in some day.
I'm pretty sure you will not be getting any spam from my server. At any rate why don't you take a hike and stick to the subject. I offered some helpful information. It's not something to ridicule people over. YOu have no idea about how I cover my server's security other than a few tidbits of information I have dropped here - which isn't much of anything worth attacking someone over. It's personal jabs like yours which makes contributing on the internet a little less than a mere friendly matter. I'm sure that age has a lot to do with it.
Stan good luck :-)
All I have is a piece of hard rock candy. But it's not for eatin'. It's just for lookin' through
I should have caught that typo.. thanks for pointing it out, everything seemed to work fine
It said to do a bunch of stuff, and then it said it was installed, so was it telling itself to make those adjustments or is that something I have to figure out?