Previous Thread
Next Thread
Print Thread
Hop To
#234647 02/10/2010 10:56 PM
Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
my 1and1.com vps, according to the tech person at 1and1.com is coming under, i think he called it brute force attack from various places like china etc, and is shutting down my forum..

He suggested installing
man hosts.deny

Does anyone know how to do that? or what it does?

Thanks


http://clubadventist.com/forums

No longer following the carrot
Joined: Apr 2007
Posts: 3,940
Likes: 1
SD Offline
Former Developer
Former Developer
Joined: Apr 2007
Posts: 3,940
Likes: 1
IP tables basically..

you might be better served to install a firewall that wraps the IPTables and has a very easy interface..

CSF firewall.. also handles the brute force crap that is inevitable on ANY server on the NET...

lots of things can be done.. ie: change your SSH port from 22 to a non standard... don't allow root SSH at all.. make them 'su' after login... and much more wink

i have the firewall automatically ban 'bad guys' and email me about it... makes for major peace of mind..

here's a typical example...

Code
Time:    Wed Feb 10 20:25:46 2010 -0800
IP:      140.123.1.12 (TW/Taiwan Province of China/dns6.ccu.edu.tw)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Feb 10 20:24:16 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=194 TOS=0x00 PREC=0x00 TTL=56 ID=57140 PROTO=UDP SPT=53 DPT=40421 LEN=174 Feb 10 20:24:16 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=194 TOS=0x00 PREC=0x00 TTL=56 ID=57141 PROTO=UDP SPT=53 DPT=40421 LEN=174 Feb 10 20:24:18 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=153 TOS=0x00 PREC=0x00 TTL=56 ID=57202 PROTO=UDP SPT=53 DPT=40421 LEN=133 Feb 10 20:24:21 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=238 TOS=0x00 PREC=0x00 TTL=56 ID=57310 PROTO=UDP SPT=53 DPT=40421 LEN=218 Feb 10 20:24:21 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=420 TOS=0x00 PREC=0x00 TTL=56 ID=57311 PROTO=UDP SPT=53 DPT=40421 LEN=400 Feb 10 20:24:22 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=153 TOS=0x00 PREC=0x00 TTL=56 ID=57341 PROTO=UDP SPT=53 DPT=40421 LEN=133 Feb 10 20:24:23 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=238 TOS=0x00 PREC=0x00 TTL=56 ID=57362 PROTO=UDP SPT=53 DPT=40421 LEN=218 Feb 10 20:24:23 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=420 TOS=0x00 PREC=0x00 TTL=56 ID=57371 PROTO=UDP SPT=53 DPT=40421 LEN=400 Feb 10 20:24:25 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=238 TOS=0x00 PREC=0x00 TTL=56 ID=57405 PROTO=UDP SPT=53 DPT=40421 LEN=218 Feb 10 20:24:33 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=227 TOS=0x00 PREC=0x00 TTL=56 ID=57580 PROTO=UDP SPT=53 DPT=40421 LEN=207 Feb 10 20:24:49 server kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:76:c2:8f:9e:00:17:df:8d:64:0a:08:00 SRC=140.123.1.12 DST=74.50.5.2 LEN=227 TOS=0x00 PREC=0x00 TTL=56 ID=57976 PROTO=UDP SPT=53 DPT=40421 LEN=207 

I usually have taiwan, china and ukraine dudes running automated scanners and most servers have the same.. just have a good security setup... STRONG passwords and you'll be fine wink

Joined: May 2008
Posts: 753
Likes: 1
Old Hand
Old Hand
Joined: May 2008
Posts: 753
Likes: 1
if his site is hosted on 1and1, shouldn't they be handling that?


"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"
Joined: Feb 2007
Posts: 1,294
Likes: 2
Veteran
Veteran
Joined: Feb 2007
Posts: 1,294
Likes: 2
You would think.

Joined: Apr 2007
Posts: 3,940
Likes: 1
SD Offline
Former Developer
Former Developer
Joined: Apr 2007
Posts: 3,940
Likes: 1
it all depends... if it's a shared hosting solution, i'd assume so.. dunno what 1and1 is offering for him..

sometimes dedicated server packages just leave security up to the client or they charge for a 'managed hosting' kinda dealio to do that..

SD #234670 02/11/2010 12:35 PM
Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
it is a VPS, full root access, I understand the onus us on me to do what is needed. They look after problems with shared servers.


http://clubadventist.com/forums

No longer following the carrot
Joined: May 2008
Posts: 753
Likes: 1
Old Hand
Old Hand
Joined: May 2008
Posts: 753
Likes: 1
I know when I see things like what you are talking about, I start blocking IP ranges in .htaccess

when I start seeing questionable errors, etc, I check the IP address against various databases to see if they are a known spammer or the like.

I also use a very old script called guardian from xav.com that allows me to add filters, so if someone is probing my site for known hacks and they match my filters, they get hit with a DOS and are automatically locked out of the site. anything that doesn't match an existing condition I get notified about so I can check it out.


"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"
Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
>>I start blocking IP ranges in .htaccess

Can that be done in the server root? I know it can be done in the domain root.

SIRDUDE... the stuff is way over my head, remember in tecky world I am only 11 inches tall. smile


http://clubadventist.com/forums

No longer following the carrot
Joined: May 2008
Posts: 753
Likes: 1
Old Hand
Old Hand
Joined: May 2008
Posts: 753
Likes: 1
I'm on a virtual server, my htaccess in my root directory, vannin.com/.htaccess - same folder as your maine index page, robots.txt, etc.

I have it blocked so you can't browse it.


"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"
Joined: Apr 2007
Posts: 3,940
Likes: 1
SD Offline
Former Developer
Former Developer
Joined: Apr 2007
Posts: 3,940
Likes: 1
yah..

the quick/dirty way is just to add 'bad IPs' to your .htaccess in the domain root (public_html or httpdocs)

then you don't have those ips hitting your ubbthreads and causing undue load on queries that they shouldn't be allowed to do..

as for the other geek stuff i posted.. it's prolly best to have a geek do it (maybe your hosting provider should do it for FREE! )

dunno smile

Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
it is all the sites on the VPS that slow to a stop, I do not think there are extra hits on my threads.
ie is they are hitting the server root in

root/var/www/vhosts/clubadventist/httpdocs/"domainroot"


http://clubadventist.com/forums

No longer following the carrot
Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
1and1,com, is a great price, and you get what you pay for.


http://clubadventist.com/forums

No longer following the carrot
Joined: Apr 2007
Posts: 3,940
Likes: 1
SD Offline
Former Developer
Former Developer
Joined: Apr 2007
Posts: 3,940
Likes: 1
yeppers wink

Joined: May 2008
Posts: 753
Likes: 1
Old Hand
Old Hand
Joined: May 2008
Posts: 753
Likes: 1
well if it is all the sites on their server, it is their problem, not much you can do about it except yell at them, and they are such a huge company, I don't think that will work to well.


"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"
Joined: Jun 2006
Posts: 16,369
Likes: 126
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,369
Likes: 126
FWIW, 1&1 is a joke as a host; i have like 8 of their free "unlimited" accounts from a promo years ago, it's still not worth using lol


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Feb 2007
Posts: 1,294
Likes: 2
Veteran
Veteran
Joined: Feb 2007
Posts: 1,294
Likes: 2
.htaccess does not cover your server root. For that you need to do a hosts deny file setup and that does not cover web browsers. the host.deny file only covers stuff like FTP, SSH, Telnet, and other resource servers on your server.

The cover it all you need to do both the host.deny and .htaccess

Joined: May 2008
Posts: 753
Likes: 1
Old Hand
Old Hand
Joined: May 2008
Posts: 753
Likes: 1
but the host.deny needs to be done by 1and1 correct? he can't access that. ?


"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"
Joined: Jun 2006
Posts: 16,369
Likes: 126
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,369
Likes: 126
Well, it's a VPS, so he should have full root access


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Dec 2006
Posts: 36
C
newbie
newbie
C Offline
Joined: Dec 2006
Posts: 36
Hi,

Have had many sort of attacks from China, Brazil, and eastern Europe.

I use IPTables to block some countries completely. I get a master list from: http://www.wizcrafts.net/chinese-iptables-blocklist.html for example...

Once I get their list I put it into a script file and run it on the server. Something like this:

Code
#!/bin/bash
# china blocklist
# generated from http://blacklists.linuxadmin.org

/sbin/iptables -A INPUT -p tcp -s 58.14.0.0/15 --dport 22 -j REJECT
/sbin/iptables -A INPUT -p tcp -s 58.16.0.0/13 --dport 22 -j REJECT
/sbin/iptables -A INPUT -p tcp -s 58.24.0.0/15 --dport 22 -j REJECT

A few other things is I move my default SSH port. This helps tremendously. On my server it is controlled in the file /etc/ssh/sshd_config

I changed or added this line. Except I used my secret numbers. These are not the actual numbers I used.
Code
Port 1234

You may also want to consider moving your FTP ports as well. You can also do port scans against your server to see what is obviously visible to a hacker. There are tools for that at Sourceforge.net

Joined: Apr 2007
Posts: 3,940
Likes: 1
SD Offline
Former Developer
Former Developer
Joined: Apr 2007
Posts: 3,940
Likes: 1
http://www.configserver.com/free/csf/install.txt takes all of 10mins and this wraps the IPtables in a nice neat bow with a front end for WHM, if you have that..

http://www.lunarforums.com/dedicate...our_tmp_directory_tutorial-t30205.0.html <-- good idea and also /var/shm too..

lotta stuff you can do to secure yourself...

the BIG thing and many don't do it is to set a VERY STRONG root password!! not like sirdude1234, which is gonna get cracked.. try something more like x?FHU%hJeIB}lFB9;b which is impossible to brute force wink

also.. don't allow root to SSH in.. force them to login with non privileged on a non standard port (like chep says above) then su to root...

smile

SD #234777 02/11/2010 10:45 PM
Joined: Dec 2006
Posts: 36
C
newbie
newbie
C Offline
Joined: Dec 2006
Posts: 36
That looks like more than what I usually need. A couple of other things I do is - write a script to generate some logs and grovel them and email myself a relevant report.

I like to look at lastb command output as well as the bash_history and secure log. In case someone breaks in I might capture what they were doing. Looking at the secure logs will show you who is trying to break in sometimes. Of course I would also agree with the advice of a very strong password.

/usr/bin/lastb
tail -n 400 /var/log/secure
tail -n 200 ~/.bash_history


All I have is a piece of hard rock candy. But it's not for eatin'. It's just for lookin' through
Joined: Feb 2007
Posts: 1,294
Likes: 2
Veteran
Veteran
Joined: Feb 2007
Posts: 1,294
Likes: 2
Yeah, don't forget to lock the barn after the horse gets out.

Looking at the logs to see what they do after they break in after watching them try forever is a great idea. If they can break in they can cover their tracks and only let you see what they want to let you see and may have done other things to aide them and you would never know it.

If you notice someone persistent in getting in it is best to block them and not wait till after they got in as if they were persistent then they are not just out to check out your server they are looking to do things to it you wouldn't like.

Good luck with that. I will be looking forward to getting spam from your server on behalf of those whom broke in some day.

Joined: May 2008
Posts: 753
Likes: 1
Old Hand
Old Hand
Joined: May 2008
Posts: 753
Likes: 1
my theory, if it looks even remotely like an attack, or someone probing for weak spots, ban the IP. if it is a legit user, they can contact me and we can sort it out.

I still get (failed) attempts from content spammers, I ban their IP anyway.


"No matter where you go, there you are."
"If you can't do something smart, Do something right"
"There are three kinds of people in the world, those who can count, and those who can't"
Joined: Jul 2006
Posts: 2,143
Pooh-Bah
Pooh-Bah
Joined: Jul 2006
Posts: 2,143
Guys let's stop beating up on 1and1 and give him some help, huh? Telling him 1and1 sucks doesn't fix his problem or answer what he cae here to find out.

Stan, SirDude has offered the best help. You could .htaccess but that means maintaining it, and it means apache has to serve the request and take up resources. It also doesn't protect brute force attacks on your FTP server, Mail server, and a number of other services. What I see here isn't a fix-all, but it should help.

IPtables, if done right, can prevent any access at all, thus mitigating brute force attacks.


This thread for sale. Click here! [Linked Image from navaho.infopop.cc]
Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
Thanks for the help, everyone,
here is my next problem

I DON'T HAVE A CLUE HOW TO DO THIS smile

code.
Quote
Installation
============
Installation is quite straightforward:

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Next, test whether you have the required iptables modules:

perl /etc/csf/csftest.pl

Don't worry if you cannot run all the features, so long as the script doesn't
report any FATAL errors

You should not run any other iptables firewall configuration script. For
example, if you previously used APF+BFD you can remove the combination (which
you will need to do if you have them installed otherwise they will conflict
horribly):

sh /etc/csf/remove_apf_bfd.sh
etc etc etc

I am only a humble macintosh guy, never learned command

Joined: Jul 2006
Posts: 2,143
Pooh-Bah
Pooh-Bah
Joined: Jul 2006
Posts: 2,143
log in via a terminal, putty will work, and type exactly what he has there, line by line.


This thread for sale. Click here! [Linked Image from navaho.infopop.cc]
Joined: Apr 2007
Posts: 3,940
Likes: 1
SD Offline
Former Developer
Former Developer
Joined: Apr 2007
Posts: 3,940
Likes: 1
one thing i'd recommend doing BEFORE the 1st thing in that tutorial is to go to your setups directory..

ie: /root/setups or a lotta times /var/usr/src or /var/usr/local/src

THEN do what it says.. that way you keep all the downloaded stuff in one place instead of into whatever directory you login to..

to change directory, use the 'cd' command... so to go to /var/usr/src dir.. 'cd /var/usr/src' would do it..

SD #234897 02/15/2010 11:08 PM
Joined: Dec 2006
Posts: 36
C
newbie
newbie
C Offline
Joined: Dec 2006
Posts: 36
Quote
I will be looking forward to getting spam from your server on behalf of those whom broke in some day.

I'm pretty sure you will not be getting any spam from my server. At any rate why don't you take a hike and stick to the subject. I offered some helpful information. It's not something to ridicule people over. YOu have no idea about how I cover my server's security other than a few tidbits of information I have dropped here - which isn't much of anything worth attacking someone over. It's personal jabs like yours which makes contributing on the internet a little less than a mere friendly matter. I'm sure that age has a lot to do with it.

Stan good luck :-)


All I have is a piece of hard rock candy. But it's not for eatin'. It's just for lookin' through
Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
ok, trying to get this fixed... had trouble with my terminal program on my mac so i picked up a windows 7....

what am I doing wrong? the CD command is not taking

Thanks everyone for the help.
Attachments
photo1.gif


http://clubadventist.com/forums

No longer following the carrot
Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
It would appear that your initial command to unpack the csf.tgz file was incorrect.

You should run the command:

Code
tar -xzf csf.tgz

Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
I should have caught that typo.. thanks for pointing it out, everything seemed to work fine

It said to do a bunch of stuff, and then it said it was installed, so was it telling itself to make those adjustments or is that something I have to figure out?

Thanks again for your help!
Attachments
Screen shot 2010-03-05 at 8.19.18 AM.gif


http://clubadventist.com/forums

No longer following the carrot
Joined: Jun 2006
Posts: 869
old hand
old hand
Joined: Jun 2006
Posts: 869
also, how does one take a partial screen shot with windows 7????


http://clubadventist.com/forums

No longer following the carrot
Joined: Apr 2007
Posts: 3,940
Likes: 1
SD Offline
Former Developer
Former Developer
Joined: Apr 2007
Posts: 3,940
Likes: 1
get firefox then an add-on to assist you..

Linky Poo to add-ons

one of the 1st two works fine..

i personally use SnagIt, which is a separate program, but they all do what you want smile


Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
Sticky posts and global announcements
by Larry Miller - 12/08/2024 2:30 PM
Profile avatar storage settings
by SenecaFlyer - 12/05/2024 1:24 PM
Not allowing attachment over 2m
by ehill - 12/03/2024 3:16 PM
New Admin Here
by SenecaFlyer - 12/02/2024 4:14 PM
Who's Online Now
3 members (Ruben, EricF, 1 invisible), 3,235 guests, and 101 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Ride safe!
Ride safe!
by Morgan, December 7
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Powered by UBB.threads™ PHP Forum Software 8.0.1
(Snapshot build 20240918)