I'm using Debian 6 to host a website (with apache2) and a game server. But because of attacks to my server, my hosting company have now set it offline.
These are the two logs that they provided (I replaced all IPs):
Direction IN
Internal ***.***.***.***
[code]....
My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog
2010-12-17 07:34:11 string too large in xxxyyy()
2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
My infected files:
/usr/bin/uptime
/usr/bin/pwdx
/usr/bin/slabtop
[code]....
I have recently started working on our server. My knowledge about *nix systems is very limited, so I turn to the oh-so-friendly internet community for help.The server is running Debian Etch, postfix, courier and some other stuff. And suddenly out of the blue the emails from the internet are not being received. Emails being sent internally are being received and everyone can browse the internet.Host or domain name not found. Name service error for na$for name=xxx.xxx.xx.xx.list.dsbl.org type=A: Host not found, try again.Does anyone have any experience with something like this? I would love to get this thing fixed.
View 6 Replies View RelatedI'm unable to get the "Uncomplicated Firewall" (UFW) to deny incoming pings. I've set it to deny incoming. Yet when I ping it, it responds.I'm using Debian 8.2 jessie KDE fresh/clean install with all updates.Below is the terminal output from a simple test (I've added an extra line feed between the commands for clarity):On a Debian 8.2 computer -- I install UFW, enable it, check its status (deny incoming), and get the Ethernet address:
Code: Select allroot@Computer:/home/user# apt-get install ufw
.... (long output -- no errors or warnings)
root@Computer:/home/user# ufw enable
Firewall is active and enabled on system startup
[code]...
The Debian computer with UFW active is responding to the pings, when it should be ignoring them.Rebooting the Debian computer doesn't fix the problem.This setup is very simple. I'm using all UFW defaults.This is a new Debian 8.2 install (clean) with all updates.
I am planning an issue tracking system that I will build in Django and Python and host on a Debian server. Being an issue tracking system it will have to send and receive emails. I can easily configure the send mail functionality using python inbuilt functions. But is there a way to create new content from an incoming email?
e.g. scenario > User sends email to support@university.edu and the issue management system picks up that email (somehow) and creates a new issue based on contents of the email (preferably in real time but some delay is acceptable).
I have looked at postfix and sendmail but neither allows you create new content (issue) from an incoming email. Any thoughts?
a good IPTABLES protocol to reject all incoming ssh trafiic except for a single IP or IP range?
View 4 Replies View RelatedAfter jerking around with that utterly useless iceWeasel " XYZ has been disabled for your protection" and the other useless Epiphany " mousey no worky y preferences ? No you don't have any. I wiped that garbage clean and stuck Google Chrome on here. Everything works pleasingly well. I screwed around with it and didn't care for the beta. " Stable"
View 1 Replies View RelatedI've heard of attacks using PDF files on Windows with Adobe Acrobat and Foxit Reader. Is Linux vulnerable to these attacks when using the default PDF viewers in KDE or Gnome or even xpdf? What is a good PDF scanner to determine if a PDF file is evil?
View 2 Replies View RelatedI would like to know how to protect networks against VPN attacks? How does big industries do it? What does the government tend to use? Are any tools open source that I may get?
View 1 Replies View RelatedI was just wondering if you were to get DDoSed/Dosed would ubuntu block the packets or protect you in some way?
View 1 Replies View RelatedI fear that an attack or an entry in my PC has occured, how to find the trace of the attacks.
View 3 Replies View RelatedI have a VPS which is running HTTPD, and its getting blown to bits by a DOS Attack. Turns out mod_evasive is totally useless (due to not running a total - rather counting per child process) and the only way to stop the box from running at 100% on all cores is to term HTTPD. So, what rules can I implement on the iptables firewall to block multiple requests from an IP? I saw this: [URL] Where someone has posted some rules but these dont work ("unknown error 4294967295" on the 3rd line). This is what i'm after though - block multiple requests from a single IP for a certain period of time.
View 3 Replies View Relatedrecently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.
View 2 Replies View RelatedI have a VPS with Ubuntu. I host a small website (~10 visitors at the same time). Sometimes the website starts lagging. It lags so bad that my SSH connection starts lagging too. Running top says that 2 instances of apache2 take up 50 %CPU each.
I assume this is a DoS attack. I've copy-paste installed a few iptables scripts that made sense, but this has not helped. I installed libapache2-mod-evasive -- I'm sure it blocks the attacker, but I'm still lagging.
What can I do? Can I at least find the IP of the attacker? I have strong experience with Linux, but almost zero experience with being a server admin.
I'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
[Code]....
Given that my public key is a pre-shared secret is sshd made in a way that this negates the possibility of a man in the middle attack? In other words, if the known_hosts file were to be deleted, would it be safe to ignore the fingerprint of a server that already has my public key in authorized_keys?
View 5 Replies View RelatedI have a mail server running RHEL, with postfix, dovecot, etc. I installed Fail2ban and this works wonders against SSH brute force attacks. It'll ban an IP address for a period of time if it unsuccessfully attempts to log on 3 times within, say a minute. I was wondering if it can be as effective with pop3 attacks. If it is, how can I get it done?
View 1 Replies View RelatedWith the disappearance of an OS monoculture, attackers would do well to find attacks that are neither OS or application specific. One way to do that, of course, is to target attacks at hardware, rather than software. Now research out of Frances Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.
View 2 Replies View RelatedMy server has been the repeated victim of bandwidth attacks: any large file on the server is downloaded repeatedly, with the goal of pushing the server over the provider's bandwidth limit. How can I lessen the effect of these kinds of attacks with IPTables or APF? For example, can I set the server to: Is this possible? Is there a more effective way, and can a firewall even do this? My web server is Lighttpd, perhaps I can place such a rule directly in its config?
View 1 Replies View RelatedI need to learn how to analyze network traffic for attacks and while finding the attack seems easy in my case I need to identify what hes doing. I will be happy right now if you guys can answer my question. How to identify if an attack has brought the server down? I have packet captures of an attack in progress and I noticed that every now and then the attacker would do something weird and the server would start sending packets with just the RST packet sent in response. Normally I had been seeing the RST ACK flags set or the FIN ACK bits set to terminate a connection. So once again my question is how do I tell if the traffic indicates a server crash?
View 1 Replies View RelatedI launched my website. At the moment the site has an firewall (iptables) enabled with very simple rules. All incoming traffic is blocked, except for the ports http and ssh. Everything is working perfect, but I want also to be able to block certain kinds of attacks. There are some really good examples on the internet, but I don't now if they contain all kinds of attacks which are relevant to my situation. To be clear, I only server web content through port 80 and use ssh to remote login.
View 3 Replies View RelatedI have a SSH server set up at home listening on port 22. I have hardened the server so it is pretty secure but I want to make it even safer by editing my iptables to rate-limit incoming connections and DROP false login attempts. I have tried these tutorials but I just cant get it to work:[URL]I want the debian-administration.org tutorial to work but when I try to add the first rule in terminal:sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --setI get the following:Bad argument --set'I am new to iptables and I'm not sure if I'm doing something wrong when I try to set it up. I'm using Ubuntu 10.04.1 LTS with iptables v1.4.4.
View 6 Replies View RelatedI need to do a pentest on a Microsoft IIS webserver to test the efficiency of the HIPS i have installed on. methods to simulate attacks so that i can check if the HIPS will detect them?
View 4 Replies View RelatedI am ashamed that I am causing other people troubles, but apparantly my server is involved in attacking the servers of other people.
I have to admit that I am not too familiar with using a CLI, or Linux for that matter, but I have a Debian server running under Plesk 10, which is colocated.
Now I have received messages from the datacenterm which state that my server is involved in brute force attacks.
The messages show a lot of lines like this:
Code:
The only I get from my hoster is to back up all domains and re-install the machine.
I want to resolve this asap, but do not agree with that action for two reasons: the machine just had a fresh re-install 2 months ago, so if it is a flaw in the OS, I will get the same flaw back, and if it is not OS related but due to a domain, I will get the problem back by putting back the backed-up domains.
But now I'm stuck: what steps should I follow to try and find the cause of this evil and make sure that my machine will not bother other machines anymore?
I realize that this probably will be a steep learning-curve, but please bare with me and help me to resolve this.
What have I done so far?
1) There are a number of live sites on this server, either running WordPress or Joomla, I have made sure they are all updated to the latest release.
2) I have manually looked at the source code of the index-files of those sites, haven't seen anything strange, like redirects.
3) I have used online scanners to check all sites for malware, all have been reported back to be clean.
4) I have run the Plesk-version of RKhunter, and that gives me certain warnings which I cannot (or do not) understand:
Code:
Code:
Code:
I received the first report of these attempts about a week ago and immediately changed the Plesk/SSH password to a 200bit password generated with KeePass, hoping that would keep out any evildoers.
we are using linux email server axigen past few years. we keep port open ssh and pop,smtp webmail etc. ssh use for remote trouble shooting. so through firewall it is globally accessable. we notice many attacks coming to our machine, also some people try to enter in our system but failure. as example see below a log come in messages file
Mar 17 09:19:50 sa1 sshd(pam_unix)[21231]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.51.13.120 user=root how we can secure more. as per my understanding only good long strong password can stop to prevent from attacks.
Being used to the pc i have always used resource draining virus protection programs. now that i have switched to ubuntu 10.10 i wanna kno is there rly any need for virus protection on my linux?
View 9 Replies View RelatedI'm setting up a fileserver for a client which will host their client invoices. They're looking for a system whereby invoices can be converted from RTF to PDF with copy protection (no right click / copy-paste). In addition to this I'm thinking of using a one-way hash to verify document integrity.
Are there any command-line utilities for Linux which allows adding this kind of copy protection / DRM to pdf documents?
I've been attempting to back up my collection of DVDs to an external hard drive using Brasero. I've successfully ripped many of the DVDs to ISO with Brasero, but am now wondering if it'd be possible to burn these back to other discs if I bought them in the future. In other words, does Brasero leave copy protection in place and just bypass it when ripping to ISO, or does Brasero remove copy protection all together leaving me with an decrypted ISO?
View 10 Replies View RelatedI have an external hard drive that is actually a 2.5" HDD from a laptop, in a hard drive enclosure. Now I have an issue, because the hard drive had linux Ubuntu installed on it, the hard drive is write protected. So I cant copy any files. I need to copy about 12GB of pictures from it, to my current comp, so I can format it. Does anyone know how I can remove the write protection so I can copy or delete files?
View 14 Replies View RelatedHow can I use password protection with the tar command in Linux? I'm new to Linux so please explain to me with simple usage.
View 2 Replies View Related