My server ended up on 1 (just 1) block list and I'm finding it very difficult to convince myself that it was just an error of some kind.Can anyone think of any giveaways at the packet or port level that some program is sending spam from my server without using the normal MTA (nothing suspicious is showing up in the sendmail logs)
View 9 RepliesI have a network like
Node A to Vlan Switch
Node B to Vlan Switch
Node C to Vlan Switch
Node B is set up to be a middle man between A and C.
All nodes have 1 NIC.
They are all linux boxes. Node B can ping Node C. When I try to ping Node C from Node A, the ping just hangs forever.
When I use Wireshark to sniff What's going on with Node B during a ping from Node A to Node C, I can see an ICMP request with src = Node A and dest = Node C. I'd like to know if that ICMP packet was received by B from A or if it is going out. If it's going out, that makes no sense since B knows how to send to C. If B is only getting the requests but not forwarding them, then I know there is something wrong with B's configuration.
So I'd like to be able to sniff incoming packets only, or outgoing packets only. Is there a way to do this?
is there any way to point certain packets from my outgoing traffic to a LAN : port ?
can iptables do this ? if yes how ?some like this [URL] ?
On our webhosting servers, where is primary running apache, sometimes starts huge outgoing traffic to random IP addressess (each time of attack is it just one IP). It's always UDP,and according to my investigation tcpdump, it looks like p2p. The problem is in big outgoing traffic, and secondly in filling ip_conntract table /proc/net/ip_conntrack. I think, that one of our webhosting users has some virus uploaded on his FTP, which is time to time ran. I think, that if I can map outgoing traffic to particular process ID, it will be easy to find the PID in access log of webserver and than see what URL it causes.
What I have checked already:
- outgoing UDP connections are not listed in netstat - so cannot get PID from there
- Apache with PHP is in safe mode - cannot exec binaries, cgi is disabled
- I can see tons of records in tcpdump, but from the dump I'm not able to get PID
- In time of attack I was trying to run `lsof`, but nothing to see - didn't found the attacker
- I went through apache access log - I took time of attack -i.e. 02:22 am - grep from access log all hits between 02:20 and 02:29 am and try to call all them again - problem didn't occured
- checked the POST records from access log - nothing
- grepped all php files for keyword 'fsockopen' and 'torrent'
- from iptables --log-uid I have found user nobody (under apache is ran)
I think that the key is able to match outgoing connection to PID, than it will be easy.
I've been trying to redirect all outgoing packets (destined for a specified ip address) from my slack box back to itself. I thought this could be done with iptables, but if I fire up wireshark I can clearly see that the packets are getting out to the real server and I'm getting responses from it.
So here's what I tried:
All looks good and fine, and then I even try to visit 194.28.157.42 with firefox (by the way I am running a webserver, that is set to show a page when you visit 127.0.0.1) and I get an error page that reads: 502 Bad Gateway.
I ignored this message to see what the program I'm trying to interrupt does, and when I start wireshark and then start the program that is using that website, I can clearly see that the packets make it to the real 194.28.157.42 and get back responses.
In my Fedora13 machine, while in mobile broadband, i can ping and skype outside, but cannot browse/yum etc. Few output that may be of relevence are here:
$ netstat -s
IP:
149468 total packets received
6 with invalid headers
16174 with invalid addresses
0 forwarded
0 incoming packets discarded
118821 incoming packets delivered
101331 requests sent out
124 outgoing packets dropped
866 dropped because of missing route .....
I have a vps server running certain services which can be accessed via a web browser (e.g webmin control panel), but I have recently been unable to access these services from my home machine using Firefox 5.0, running ubuntu 11.04.
Example:
I can access the server on port 80 fine, eg: [URL]
However I cannot access my webmin control panel on: [URL]
The pages takes ages to load and then times out. Same with transmission-daemon on: [URL]
Everything is set up fine on my server, the ports are open in firewall etc. and I can access these pages fine from my work computer.
This has only started happening in the last day or two and had been working fine up till then. I have not messed around at all with the firewall on my home machine. I have tried other browsers besides Firefox with same result.
I have CentOS 5.3 ISPConfig 3 installed. I have noticed that some mail I sent out were lost. Expecially, email with subject like "a" or "aa". I think Amavis block my email. Please tell me how to configure amavis to allow all outgoing email by postfix?
View 1 Replies View RelatedHow do I check/setup that only the server can send mail (maybe by IP or hostname)? I have a debian server that sends mail through the PHP mail() function with no problems. The server uses sendmail. My concern is how do I make sure only the server itself can send mails through that server. Because it would be bad if spammers would use it as a relay server.
System:
- Debian Lenny
- PHP5
- Apache2
- MySQL 5
- PHPmyadmin
- Sendmail
How could we bcc all outgoing / incoming email through my Sendmail (8.14) Server?
I tried this /etc/procmailrc
:0c
! backupmail@domain.com
But this get looped and backupmail received multiple emails of each for domain.com while sending locally from one user to another user.
I just discovered View > "All message headers" in the Evolution email client and am quite concerned that all my out going emails contain my personal IP Address. I know that this is standard email protocol but i'm wondering if it is possible to hide or modify this header information? Or would i be better off using a webmail client?
View 5 Replies View RelatedI have a postfix system that sends allot of emails to customers and web site visitors. A lot of visitors just enter an invalid email in the WEB form just to download some files or do other tasks. Is it possible to BLACKLIST specific email addresses so the system does not send to those addresses? I can grep from the postfix mail log all those fake emails and place them somewhere.
View 4 Replies View RelatedI have setup mail server on Ubuntu 9.10 and it's is working fine.I am using Webmin to addministrate my mail server.My Ubuntu server name abcs.I send a test mail from Wedmin for user gom.Why it keep adding InfoNet. What I would like is setup as gom@abcs.com.
View 1 Replies View RelatedI'm trying to inspect network traffic from my iPhone / iPad / Kindle / other wi-fi only consumer electronic device. To do this I man-in-the-middle myself (connect laptop to LAN via wire, create wireless Ad-hoc network, bridge the connections, then connect my device to the ad-hoc wi-fi network) and use Wireshark to watch the traffic.
In the past this has been adequate for my needs (just wanted to watch and see what potentially private info was being leaked about me / see that banking / amazon / etc apps were going over SSL). Now I've noticed that applications are almost all using SSL (which is great) but they are way to active for my taste. I'd like to use these apps but want to know what's happening in the background. I know that corporations dead-end SSL connections at their proxys to inspect the traffic and then re-establish the connection on behalf of the user for the trip across the internet. While I find the corporate use a bit distasteful, I think this is exactly what I'd need to do to myself. Any suggestions for how to do so or other ideas on how to get the packets in the clear?
i have a linux server runnig oracle applications. i need to access this server from putty using ssh through internet. i did by registering my static ip with the dnydns.org and i am able to connect to the server. but now there is no security to authenticate any user as any one knowing the password can login to it.
i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously. so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?
Basically i have no idea to provide proper information in the setup wizerd.
View 4 Replies View RelatedIt's possible to configure Postfix in order to check spam only for outgoing email?
View 2 Replies View RelatedI'm trying to work out a way to inspect/modify dns requests as an advertising filter. Iptables is a good place to do this, but I'm having some problems disassembling the packet. On my dev box, when a DNS reply is returned from a request made on the dev box. I use this rule to route the reply packet through a queue:
iptables -A INPUT -p udp --sport 53 -j NFQUEUE --queue-num 1
Will the rule catch the inbound udp packet with the dns reply in it? I get something in the queue, but it's unintelligible when attempting to disassemble the packet. I don't want to move onto looking at my program until I get some feedback on the rule.
Here's a primitive diagram of what I'm working towards:
host ->DNS request->iptables(no outbound rules)-> DNS Server
->DNS Answer ->iptables(queue udp 53 packets)
->inspect packet program-> Allow/Deny -> host processes allowed packets
i need to write a program in c that can sniff packets from Ethernet and distinguish RTP packets from Non-RTP packets, i have no idea what should i do
View 9 Replies View RelatedI have a hardware device with two ethernet ports, eth0 and eth1 running Centos 5. Basically my goal is to forward packets from eth0->eth1 and eth1->eth0 as well as get a copy of these packets for analysis. If I set IP routing to do the forwarding then I won't get a copy of the packets for analysis.
View 3 Replies View RelatedI am able to compile gstreamer just fine, but when I port it to the platform where I want to use gstreamer gst-inspect comes back with: "can't cd to /home/MY_HOME_FOLDER".
MY_HOME_FOLDER is the folder where gstreamer and all of its tools got compiled in.
So, how do I tell configure script (or whatever decides to remember this path) to use common Linux paths so when I port gst-inspect to /usr/bin it would work OK?
How can i inspect and evaluate the mbr on a disk in a computer?
I'm interested in how to do this in general.
I can use gparted to see the partitions on a disk, but i don't know how to use it, or any other tool, to see just what is in the mbr.
The particular situation i'm in is that i have two disks in my computer. One has ubuntu 10.10 on a single partition, and one has 11.04 on one of 4 partitions.
The 11.04 disk used to be bootable, but somehow i messed up the disk: longer story: i installed another os on another partition, and the other os redid the mbr and installed a different version of grub, and i tried to reinstall grub but ended up with a disk that wouldn't boot. So i put my old 10.10 disk back into the machine so that i could at least boot and look around on the 11.04 disk.
Now, there are probably ways that i could recover the 11.04, but i would like very much to be able to systematically analyze the 11.04 disk to determine its exact current state before modifying it.
Since the disk is not mounted it seems like this should be in reach: i want to be able to (a) capture the mbr from the 11.04 disk [into, say, a file on the 10.10 disk] (b) get an analysis of what the mbr would do (where it points to etc, and what is at where it points to) (c) get any high level information which can easily be determined from (a) and (b).
I am testing my setup which will have 2 public servers. HTTP & MAIL both with reverse DNS established.
www.mydomain.no -> xxx.xxx.xxx.034 -> internal name server
mail.mydomain.no -> xxx.xxx.xxx.035 -> internal name mail
Both addresses are on the same NIC with 34 being the main address.
The system work fine except one thing. The IP address mail sends out from is the Firewall Address _FW. I can see why as the default gateway set on the mail server is the FW_IP (The main gateway ip)How can I get the MAIL server to send through it's own public IP.I understand I can change the Firewall public IP to that of the Mail server and that would cure the problem for now. If it's possible I would like to learn a little in the process.
Does anybody here know a program (Linux-based or even Windows-based) which permits looking at the files structure of a harddisk in such a way that you can find out what file lies where on the harddisk?To specify further what I mean, back in the DOS days the Norton Utilities would show the distribution of files on a harddisk. It would show the harddisk as row upon row of rectangles, marked as used or not used, and the top left rectangles were the beginning of the harddisk while the lower right were the end of it.Now if a program put some files at the end of the harddisk it was possible to mark the filled rectangles and find out exactly which files were there.
View 9 Replies View RelatedUnsure about IP tables lingo, so excuse me for not looking this up:I have a server, running IP tables, that I do not want to allow any type of outgoing traffic to 192.168.1.21
View 3 Replies View RelatedHow would one forward a specific outgoing port to a local computer?
E.G.
Router: 192.168.1.1
Comp 1: 192.168.1.100
Comp 2: 192.168.1.200
When Comp 1 tries to browse to an internet page, forward that connection via the router to comp 2 to display a custom webpage. Using WRT54GS
I have a couple of interfaces in a Fedora 14 box:
eth0: internet provided by an adsl router
eth1: LAN
I set up system-config-firewall to masquerade all outgoing traffic in eth0, as I did in other Fedora 13 boxes, but it seems it doesn't work. It sets to 1 /proc/sys/net/ipv4/ip_forward and also set the appropriate rules in iptables. But all traffic is blocked from the LAN to the Internet. "ping www.google.com" works in the Fedora box, but doesn't work in the LAN computers using the F14 IP as gateway. I have another F13 computer elsewhere configured this way and it works fine. But this one has Fedora 14.
I use a server with 3 nics,
eth0 192.168.2.100 (internal Web, Mail)
eth1 192.168.3.100 (Default Gateway nic for clients)
eth2 192.168.3.110 (should be default Gateway for all outgoing traffic not belonging to 192.168.2.100 and 192.168.3.100)
They are all on the same machine
i cannot set eth1 or eth2 as default gateway, as outside requests to eth0 would be handled in a false manner (somehow)
is there an easy iptables-rule to say, that outgoing traffic, not belonging to my networks can be redirected to a specific NIC (eth2)?
I'm running Ubuntu 8.04.3 server on my XP Pro SP3 machine using VMWare. I'm trying to set up a static IP address but I can no longer ping anything except my router (not even the XP machine it's hosted on). I'm using "bridged" mode in VMware
Here's my /etc/network/interfaces file:
Code:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.50
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
I run a Centos server that quite a few people have access to. I trust every user on the system, but i've had problems before like one user's account gets hacked and someone starts using my box to DDOS. Each user has their own ip.. And I would like to write a script or use an existing solution (if one exists) to monitor number of tcp/udp connections each minute and see if it's unusually high. I don't want it to stop the flooding or anything, I just want to be notified by email or something.
View 1 Replies View Related