Ubuntu Security :: Unusual Traffic From Amazon EC2 Cloud Server
May 1, 2011
Last night my old Sony Vaio laptop which connects via wired Ethernet and runs Ubuntu 10.10 started hammering the network out onto the Internet. Fired up Wireshark and found lots of traffic between my machine and 174.129.193.12 which I did a whois on and found belonged to Amazon EC2 Cloud Server. The port on my machine was an unknown 5000+ but the port on the remote system was 443 the port used by https, however no browser was running. Did a search and put together a couple of iptable commands to block this IP address which stopped the traffic. I then used nmap and netstat and found port 3000 open and another connection to IP address 91.189.89.76 which I also blocked. Unusually no info exists on this IP when you do a whois. At first I thought it might be some sort of sync as this machine has Ubuntu One running on it, however it could also be something else.
I've been looking for a good alternative to Dropbox - just a little too pricey for me. And I just discovered Amazon Cloud Drive. Has anyone here had any luck setting up some sort of automated backup solution using Amazon Cloud Drive? I've been all over their site, but I just don't see any other way to access the cloud drive other then via their web interface.
Optimally, I am looking for a solution that will allow me to simply set up an rsync script or similar that would sync up a folder to a cloud drive every few days. Maybe their S3 tools can be used to do this?
Over the last 3 or 4 days, I have been unable to load sites that serve their images, scripts and whathaveyou from Amazon's cloudfront domain.
[URL]
I have made no changes to any of my networking files, hosts{allow,deny}, or dns settings.
Connections don't provide any errors, just continually fail to load. Stopping the page load after a while reveals the raw HTML in some cases (quora and blekko).
Tested in Firefox, Chromium, Midori and Vimprobable.
I have booted into another distro and pages resolve immediately.
I have disabled IPV6 and my firewall - to no effect.
I've noticed recently that a lot of outgoing internet traffic is generated by my laptop (running Ubuntu 10.04 - 64 bit). This wasn't the case previously. I only found out because my wireless broadband traffic allowance suddenly was used up very quickly. I've installed ntop to try to find out where all this traffic is going to.
I did find that there were a very high number (at one stage over 11.000) of active TCP/UDP sessions (see attached screenshot). Although the traffic generated by each is only small (about 100 bits/bytes - not sure what) multiplied by thousands, makes a fair bit of traffic. I wonder if I've got some kind of a virus/bug or do I have a configuration problem with my laptop?
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code: iptables -I INPUT -p gre -j ACCEPT iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT iptables -I FORWARD -d 172.16.10.101 -j ACCEPT The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
I'm not sure this is the correct place for this post, but since it involves a keyring, I'm making my best guess. Feel free to move it if I am in error. I have had a "tmp" directory appear under Places in the first grouping which contains "Home", "Deaktop", "Documents", etc. When I open this folder I find the attached png file.
When I look for this folder I find it is owned by root, but it appears in what should be my home directories. The only guess I have as to it's origin is that I recently formatted a USB stick as an encrypted device. I don't know if that is when it appeared or not.
Can anyone shed any light on what this folder is, and why it appears where it does? Somehow it just doesn't seem a correct placement.
what kind of network between cloud controller and nodes, is required for a proper cloud installation? I mean, Does all machines needs to be in same network, in same lan, or may be in MAN or WAN ? how much should be network throughput? 1Mbit/sec , 10Mbit per sec, or 1Gbit/sec? I ask because I need to know the possibility of running nodes on different locations.
Sometimes when I try to open some chat application i get a strange warning message asking for password. The message is that /usr/libexec/mission-control is trying to gain access of the system, please provide the password. On top of the message box it shows "Unlock Keyring".
This very weird, as I am also unable to do a print-screen when this message box is up.
what this message is all about and what does the executable /usr/libexec/mission-control do?
Currently using linux mint.While it's nice I have the feeling all those bells and whistles must be exposing a large attack surface. What is the most secure distro known to man, but which is still capable of making payments to amazon and ebay?
So best if you take a quick look at this image, which describes a network topology: [URL]
I am behind a firewall in the university dorm and many ports are banned. Well pretty much everything besides 80, 8080, 110, 21, 22 and the most basic ones. So I'd like to get around that.
I have a home server that is connected and reachable on the internet. So if you type in 90.90.90.90:80 into a browser it's reachable.
The task would be to set up a port forwarding or how you call it in a way that if I access my home server from the dorm or anywhere, it would act as a forwarder and forward that packet or connection to the 80.80.80.80 server on a specific port, say 2083 so that I can even access my hosting Co's admin user interface.
To sum it up: I'd like to access the 80.80.80.80 server from the dorm on port 2083 which is blocked by a firewall, but I have a home server that is reachable on non blocked ports. The home server has no ports blocked.
I wanted to tell my server to block all traffic but US only traffic. So i followed this guide:[URL].. Now I know, it's the best way to help prevent hackers/crackers (doesn't matter to me what they are called. I just have to stop them). My server only deals with US clients anyways so might as well just start right there for my server's security before getting into the brute force and injection preventions. So I got it all done compiled everything moved to the proper directory. I then started to setup my iptables. Like so
I recently started having unusual directories appear on one of my mounted arrays. I did not create them (intentionally) and I have no clue what they are. They all have the this in the name of the folder "samba_symlink_dir_traversal.nasl-<10-digit number>" they all have the same time-stamp for the date modified column (see pic).
What are these folders? Why are they appearing? And how can I make it stop? It doesn't do this on my other mounted arrays and disks. I recently grew my two attached arrays, this started right after that, but only on one of them. Connection? Also, it may be relevant, the folders are different today in their modified date(reflecting today's date) and the numbers in the name of the folder are different too.
I have installed the Apache, PHP and MYSQL in the rackspace cloud server environment. Can anyone please guide me How can I configure email server in that with postfix or some other with multiple domain.
I've got Fedora 14 running on an EBS volume on Amazon EC2. I've created a few users and enabled port 22. When I set a password for these users, they can successfully ssh into the instance; even if they logout and login again....until:
If I reboot the machine, they can no longer ssh into the machine (permission denied). If I issue the passwd <user> command and change their passwords, they can login again....until I reboot the machine at which time they cannot login again until I change their passwords. The problem exists even from the machine. That is, if root attempts to ssh into 127.0.0.1 using their username/password, the same problem/resolution exists.
In the past week or so I've noticed some weird network behaviour. I find accessing some sites such as Amazon, Paypal, and Bigstockphoto really slow. Sometimes the page will not load at all. Other sites are fine. The problem sites are not a problem for others on my LAN at home. When I try to open the problem sites, I can see in Firestarter blocked connections coming from 2.1(8/9).xxx.xxx on various ports such as 36007. This only happens for the problem sites. I attached a typical output from firestarter.
This happens with Firfeox or Chrome. Using Ubuntu 10.10
I am interested in signing up to the Amazon EC2 service with EBS. I have never used a unmanaged vps before, but I know how to use the command line etc. There are some basic packs on there to use, with basic LAMP stacks. But I would like to ask about how do I:
Upgrade a lamp stack? - someone mentioned yum, but what is this? how easy is it to use? is it enough? secure the lamp stack? - assuming I have no idea of linux security, can you give me a list or something of things I need to consider so I can begin the search (or just cover the steps would be awesome!) My website just uses php and mysql, so thats all i'll need. If you have any other tips on this,
We have our web site hosted by Go daddy and they provide us with the mail service as well. But there are a lot of constraints with the mail service with regards to the number of mail boxes, size per box, relays per user and so on.To avoid this, we are looking at other options. One is to have our own mail server but it will require a lot of infrastructure and expertise. But Amazon web services looks nice. They have infrastructure needed and all. One thing on my mind is the reverse look up of the mail servers. They wont be associated with the domain as both would be on different hostings. I am open to both windows exchange server as well as Linux server. Has anyone done this before or has any idea about it? I have gone through some of the threads in their forum and there are a lot of mixed views about it.And main concern everyone views is the reverse lookup. This could lead to all the mails sent from my server tagged as spam at the recipient end.I could not make out in which forum to write and hence in newbie. If this is enough about networking or server please move it.
What's the difference in terms of scalability? We would be hosting videos and FOSS collaboration tools (wiki, forums, etc.) on 4 separate servers. If I install the cloud server, I will need to install the GUI anyways. The servers are all brand new
To be short and to the point, I want to setup a service with my clients and allow them to back up to one of my servers. What I would like to do is allow client connections via WinScp to a ssh server that has home directories for each user to backup data. If users want their data I would like them to be able to connect to my apache web server (same as ssh) and download from anywhere.
Is there a way for apache to link web directories on the server to the actual /home/user account and use the same login information/authentication?? Does this make sense? I really appreciate the help. I am not a developer or else I would simply develop a user friendly front end for to an ssh server. Since that is the case I think this is the best solution for me, as well as the easiest for the client.
I'm looking to set up a clustered mail server, I kind-of know how I'm going to do it but wanted to check if there was a better way. So we have 3 mail servers, running as EC2 instances on Amazon AWS. We were going to achieve clustering by giving all three a shared EBS storage device to store the mail. The mail would be received by any of the three servers (Via postfix) and could be retrieved from any of the three servers (via dovecot). For receiving mail (SMTP), the domains would have 3 MX records pointing to each of the servers but for sending and retrieving mail (SMTP and POP3/IMAP) the three servers would have one DNS A record with 3 IPs associated (I know when using this method for web-servers, the load gets distributed among the IPs under that record but I'm not sure if this will work for SMTP/POP3/IMAP).
What we want is to have 3 servers that share the load equaly but are completely redundant for all services (POP3, IMAP and SMTP). We also need to be able to scale upwards so if we need to add more servers we can do easily. Also the servers must be perfectly synchronized at all times.
what cloud computing is and i think it can help me with some of my clients i want to switch my clients from a normal ubuntu server to a ubuntu cloud. as of right now i have to send out a bill to them and if they dont pay i have to shut down there service till they pay. what i would like to do is to have a cloud where i can sell them based on what they use not a set price like it is now. and have them be able to pay there bill on the cloud and if they miss the bill then the cloud can shut off there service till its payed.
i dont know if this is possible and i have looked everywhere and all i can find is info on other businesses billing and now how to set up a cloud to do this. i wish there was some kind of tutorial for this. if anyone can direct me to some good notes/tutorials that would be very helpful. this could be a big changing point in my business if i can do this. it would save a lot of time and cash.
I hope this post is in the right area of the forum.I am searching for the right operating system and application(s) to build a cloud data storage server business like Backblaze.Backblaze uses Debian but uses their own custom application to manage the data, uploads, accounts, encryption, etc... So my real question here is: does anyone have any recommendations for existing application(s) I could use on top of Debian to handle this stuff?
I have multiple video streaming servers(Red5 running on machines internally on LAN. For different subdomains.Ubuntu 10.04 The front end to the is apache2 on a Bastion Host. To be able to reach the streaming server I embed a javascript in HTML pages as follows
Code:
<embed ..... var="rtmp://site1.my_domain.com" >
[code]....
how will I make sure this rtmp request is mapped to a port different than 1935 as there are three other streaming servers which are also to respond to their respective requests.
I'm having a consistent problem with instances on Amazon EC2, which a lot of searching including here has resulted in no solution.During boot I see the following message on the console (or "System Log" in the Amazon console):Code:Mounting local filesystems: mount: /dev/sdg already mounted or /apps busy(I'll append a extract from the full log below).Once I log into the instance, I can access the filesystem so it's mounted somehow but I can't figure out what's going on:
Code: # df -k /apps Filesystem 1K-blocks Used Available Use% Mounted on
I have a plan to deploy a private or public cloud computing. And I've been considering Eucalyptus, OpenNebula, Nimbus, vSphere, abiCloud and Joyent.
I'm very interested in Eucalyptus and OpenNebula, since they are both open source, they have many features, they both support Amazon EC2 and Amazon APIs and they seem to be able to work with different hypervisors, such as KVM, Xen, VMWare ESXi, etc.
Eucalyptus seem to be very supported by Canonical, because it can work with Centos Server, so I bet it will grow more and more, and we have a good experience with Linux and in particular redhat.
On the other hand, many people told me that right now OpenNebula is better. So the question is:
- which one between Eucalyptus and OpenNebula? The other three choices? vSphere is probably free (if we use ESXi and not ESX) but it's not open... abiCloud seems to be similar to Eucalyptus and OpenNebula... about Joyent, many people say very good things, but I want to know more, and then, is it open source? I mean here, can I use it as free ?
After having built the private cloud, we probably want to also use an external service and create an hybrid cloud. If for private cloud we chose OpenNebula,Eucalyptus, abiCloud or Nimbus I guess the best thing is to use Amazon EC2.
- Is it also possible to use VMWare solution?
- And if we chose abiCloud or Joyent, what can we use to create an hybrid cloud?
About Microsoft Azure and Google App Engine, it seems to me they have many limitations and I prevent it because it could be have a highly cost, so I'm not considering them.
