Security :: My Server - Deb5 And Plesk10 - Is Involved - Causing - In Brute Force Attacks
May 6, 2011
I am ashamed that I am causing other people troubles, but apparantly my server is involved in attacking the servers of other people.
I have to admit that I am not too familiar with using a CLI, or Linux for that matter, but I have a Debian server running under Plesk 10, which is colocated.
Now I have received messages from the datacenterm which state that my server is involved in brute force attacks.
The messages show a lot of lines like this:
Code:
The only I get from my hoster is to back up all domains and re-install the machine.
I want to resolve this asap, but do not agree with that action for two reasons: the machine just had a fresh re-install 2 months ago, so if it is a flaw in the OS, I will get the same flaw back, and if it is not OS related but due to a domain, I will get the problem back by putting back the backed-up domains.
But now I'm stuck: what steps should I follow to try and find the cause of this evil and make sure that my machine will not bother other machines anymore?
I realize that this probably will be a steep learning-curve, but please bare with me and help me to resolve this.
What have I done so far?
1) There are a number of live sites on this server, either running WordPress or Joomla, I have made sure they are all updated to the latest release.
2) I have manually looked at the source code of the index-files of those sites, haven't seen anything strange, like redirects.
3) I have used online scanners to check all sites for malware, all have been reported back to be clean.
4) I have run the Plesk-version of RKhunter, and that gives me certain warnings which I cannot (or do not) understand:
Code:
Code:
Code:
I received the first report of these attempts about a week ago and immediately changed the Plesk/SSH password to a 200bit password generated with KeePass, hoping that would keep out any evildoers.
View 14 Replies
ADVERTISEMENT
Sep 30, 2010
I have a SSH server set up at home listening on port 22. I have hardened the server so it is pretty secure but I want to make it even safer by editing my iptables to rate-limit incoming connections and DROP false login attempts. I have tried these tutorials but I just cant get it to work:[URL]I want the debian-administration.org tutorial to work but when I try to add the first rule in terminal:sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --setI get the following:Bad argument --set'I am new to iptables and I'm not sure if I'm doing something wrong when I try to set it up. I'm using Ubuntu 10.04.1 LTS with iptables v1.4.4.
View 6 Replies
View Related
Mar 31, 2011
I have a mail server running RHEL, with postfix, dovecot, etc. I installed Fail2ban and this works wonders against SSH brute force attacks. It'll ban an IP address for a period of time if it unsuccessfully attempts to log on 3 times within, say a minute. I was wondering if it can be as effective with pop3 attacks. If it is, how can I get it done?
View 1 Replies
View Related
Nov 8, 2010
im looking for a good brute force program that has i gui. i used to use brutus on windows but now im only running ubuntu so i need to find one.
View 3 Replies
View Related
Mar 29, 2011
I set up an ASUS WL-500gP with original ASUS firmware to my LAN with IP address 192.168.1.1. If I navigate to address [URL] in my Firefox address bar, an Authentication required window opens up asking for "User name: " and "Password: ". Correct "User name: " is "admin" and correct "Password: " is "pA55w0Rd". They work fine if I type them in manually to the Authentication required window, but for some reason I can't get in using the hydra with words.txt password file, which contains "pA55w0Rd":
Code:
[root@ ~]# cat words.txt
password
user
pA55w0Rd
[code]....
View 2 Replies
View Related
Feb 19, 2010
In my Open-Suse server I have a script, where makepasswd output(by default it generates similar passwords: cGyTbqpr, tpJ1LA, 33EXdo) is redirected to mkpasswd(which uses DES by default) in order to generate salted hash of this previously generated password. I would like to test the strength of this system. I have a quad core CPU, and if I start John The Ripper like this(I want to use -incremental:all flag):
john -incremental:all passwd
..only one core is utilized at 100%. Is there a possibility to make all four cores to crack this password? Or is this possible only after reprogramming John The Ripper? Or what is the algorithm for generating passwords with with -incremental:all flag? I mean if John generates passwords randomly in brute-force mode, then it's smart to start four different John processes simultaneously because then one of those four will find the password firs
View 2 Replies
View Related
Jun 1, 2011
I would like to know how to protect networks against VPN attacks? How does big industries do it? What does the government tend to use? Are any tools open source that I may get?
View 1 Replies
View Related
Dec 30, 2008
I fear that an attack or an entry in my PC has occured, how to find the trace of the attacks.
View 3 Replies
View Related
Jan 25, 2011
recently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.
View 2 Replies
View Related
Apr 12, 2010
I'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
[Code]....
View 7 Replies
View Related
Jan 6, 2011
Given that my public key is a pre-shared secret is sshd made in a way that this negates the possibility of a man in the middle attack? In other words, if the known_hosts file were to be deleted, would it be safe to ignore the fingerprint of a server that already has my public key in authorized_keys?
View 5 Replies
View Related
Nov 10, 2010
With the disappearance of an OS monoculture, attackers would do well to find attacks that are neither OS or application specific. One way to do that, of course, is to target attacks at hardware, rather than software. Now research out of Frances Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.
View 2 Replies
View Related
Jan 21, 2011
My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog
2010-12-17 07:34:11 string too large in xxxyyy()
2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
My infected files:
/usr/bin/uptime
/usr/bin/pwdx
/usr/bin/slabtop
[code]....
View 4 Replies
View Related
Dec 14, 2010
I launched my website. At the moment the site has an firewall (iptables) enabled with very simple rules. All incoming traffic is blocked, except for the ports http and ssh. Everything is working perfect, but I want also to be able to block certain kinds of attacks. There are some really good examples on the internet, but I don't now if they contain all kinds of attacks which are relevant to my situation. To be clear, I only server web content through port 80 and use ssh to remote login.
View 3 Replies
View Related
Jan 27, 2011
I need to do a pentest on a Microsoft IIS webserver to test the efficiency of the HIPS i have installed on. methods to simulate attacks so that i can check if the HIPS will detect them?
View 4 Replies
View Related
Aug 24, 2009
I'm having an issue with an e-mail server (with an IP of 10.10.0.1) which is behind NAT (Cisco ASA) which in turn of course has it's own external IP (let's say - IP 10.10.0.100). Both IPs are public.Now, if i wanted to set up a correct RDNS configuration for my domain, what should be the IP address entry for the PTR record in this case?
I know this is strictly network configuration related question (not Linux, or CentOS for that matter), but I wouldn't be asking if I didn't get a few bouncing e-mails every once in a while (i.e. NDRs) with messages like: You do not have permission to send to this recipient. For assistance, contact your system administrator.
[Code]...
View 1 Replies
View Related
Apr 26, 2011
My server has been the repeated victim of bandwidth attacks: any large file on the server is downloaded repeatedly, with the goal of pushing the server over the provider's bandwidth limit. How can I lessen the effect of these kinds of attacks with IPTables or APF? For example, can I set the server to: Is this possible? Is there a more effective way, and can a firewall even do this? My web server is Lighttpd, perhaps I can place such a rule directly in its config?
View 1 Replies
View Related
Oct 18, 2009
I am using openDNS on my current Linux box and I was wondering if their is a way to force the DNS settings to stay the same even if ROOT tries to change it (since my dad wants content filtering password protected and I still want my computers root access...)
View 2 Replies
View Related
Jun 14, 2010
Is there any setting to connect ssh server using default profile.
for example if I run
ssh user@ssh_server_ip '/bin/bash --norc --noprofile'
it will skip user's login profile(/etc/profile,/etc/bashrc,~/.bashrc,~/.bash_profile)
Can i do some settings in ssh server that deny profile skipping by client.
View 1 Replies
View Related
Aug 10, 2010
Squid acl rules can be configured to allow specific ip's to get full access, or rather skips the blocked site list.
acl <tag> src x.x.x.x
http_access allow <tag>
http_access deny blocksites
From all the ways i tried, squid does not log these urls. Is there a way to have squid log the urls requested from allowed ip's?
Specs:
squid ver : (squid/2.6.STABLE21)
OS : CentOS 5.5
View 1 Replies
View Related
Apr 5, 2010
I would like to restrict a few selected accounts to minimum of 15 characters passwords. Other accounts,however, should still be able to login with 8 character passwords. This is in RHEL 5. Does anyone know how to go about it? I have checked PAM documentation and pam_cracklib.so has an option minlen. As per its documentation, minlen can force users to use 15 characters, but it forces every account on the system. I might be wrong too.
View 5 Replies
View Related
Feb 10, 2010
my server and it had a load of 60 so i immediately took down apache and the load went back down to 0 in a few mins and every time i put it back on the cpu usage on both cores immediately goes to 100% and the load goes up to 20 in just 60 seconds until i take apache down again?
View 6 Replies
View Related
Aug 3, 2011
I've currently got a crontab line that looks like the following:
Code:
*/5 * * * * /usr/bin/php -q /etc/backend/cron.php | mail -s "Cron script output" whiteydude@gmail.com
The script works fine - it runs every 5 minutes and checks if certain environmental variables are set in place - if they are, it prints an output. If they're not, it dies.
The problem is that when it dies, it still sends me a blank email - one every 5 minutes, every time the cron job runs.
telling it not to send if it's blank?
I'm assuming some type of dirty awk script could do this, but I don't really know my shell well enough to do that.
I'm not good at putting these things into words, so let me write some psuedo code to explain what I mean:
Code:
*/5 * * * * /usr/bin/php -q /etc/backend/cron.php | if (STDOUT != '') { mail -s "Cron script output" whiteydude@gmail.com }
EDIT: Unfortunately I'm running on CentOS, so I can't use mail -E . Apparently that's a FreeBSD thing.
View 5 Replies
View Related
Mar 16, 2011
I have now been trying to find an answer for the following for a while and can't seem to get anything.On previous linux distros we had the option available "passwd -e" which allowed us to force the user to change their passwords upon the next login.s functionality however seems to be excluded from latest linux distros (currently using RHEL 5.4)...Does anybody know how the same effect can be achieved and perhaps any idea on why this option was removed as it was great for securing passwords
View 5 Replies
View Related
Feb 15, 2010
i setup the following script ro run each night (12am) as a cron on the main server:
if mount | grep -q '/home';
then
rsync -ranv --delete /home/ 138.73.56.12:/home;
[code]....
the main server is running on a dell poweredge 2600. The script rsyncs to a virtualised duplicate running on a hp dl380. when i set this script up and begn running data started going missing from the main server. if new files had been created the files by staff they would go missing, if data was added to existing files prior to activating the script the new changes made to that file would be lost.i just cant understand why this happened. as soon as i turned the script off after a few days it was all back to normal but the data that had gone missing had gone missing.
i just wanted to know if this could be a disk read/write issue, was the script running too soon not allowing data to be written before it can be backed up? could it bee memory? i just dont know. another developed occured after a few days of all this happening, which was one of our hard disk from the main server started mis behaving and flashing amber (attention).
View 5 Replies
View Related
Sep 17, 2010
I actually have a server and a client.The client must connect to the server (via internet) to access to external websites. (You can see the attachment, maybe it's more clear )My actual problem is, I have configure Squid on my server, but I want to force SSL for the connection between the client and the server.I didn't really find nice tutorials about on that, maybe someone have an idea ? Or maybe some indications ?
View 1 Replies
View Related
Feb 6, 2010
We are trying to define an appliance based on Suse for an application server and Web server Apache, so we would like to know configuration best practices for network and security, is there any paper/doc about best practices?
View 3 Replies
View Related
Jan 26, 2010
I don't know what happened, but this happened in openSuSE 11.2 as well. Now when I try to view any media that involves the flash plugin, FireFox crashes. I've reinstalled the flash-plugin multiple times. I've tried downgrading to FireFox 3, but 3.5 always remains. I installed some software last night, but it didn't conflict with anything on my system. Is there some form of bug with the new flash? Is there a functionality time-bomb, that kills itself after a while?
I saw that someone else was having issues with flash freezing FireFox.
Here is some system info:
CPU - AMD Athlon 64 3200+ 2GHz
Video - ATi 2400HD chipset (MSI RX2400Pro)
Audio - Ensoniq PCI card
RAM - 2GB DDR1
View 5 Replies
View Related
Aug 12, 2010
If I remove all the template stuff, it works.
whats going on here?
View 2 Replies
View Related
Mar 22, 2010
I'm running Xfce 4.6.1 and xfdesktop 4.6.1.1 (or so aptitude said). When I use 'None' image option - just colour - I get the colour I ask for but if I change that to either 'Single image' or 'Image list' then both the image and the background colour are made greyscale.
I have tried looking through all the options I could find to do with Xfce and searching Google but I don't know how to phrase it as my searches tend to bring up black and white wallpapers.
Running X as a different user on the same computer does not cause the same problem which makes me think it might be cause by a user setting though I spent a long time with a black and white wallpaper and do not know when the issue first arose.
View 3 Replies
View Related
