Debian / Ubuntu - Block attacks received on main protocols (mail, web and FTP)

Page 1 / 1

If you have previously managed an online server (either a dedicated server or a VPS), you may have noticed that hackers attack every day the servers accessible from the Internet. To block a hacker, nothing simpler. Simply block its IP address in the firewall on your server. Most often, this method will work. The exception being the use of a Botnet (in this case :. A multitude of IP addresses will be found in your history (logs) and you can't block this hacker. If you block these IP addresses, you may block one of your viewers infected by a virus (a botnet client).

To protect against hackers, there are 3 steps :

  1. Configure the firewall to allow only what is necessary. To do this, follow our tutorial : Debian / Ubuntu - Securing your VPS or dedicated server by iptables
  2. Find IP addresses of hackers in your server logs. On Linux, they are in : /var/log/...
  3. Block these IP addresses in your server firewall. Under Linux, we will use iptables to configure the Netfilter firewall.
  1. Block an IP address or an IP range with Iptables
  2. Block an attack on the SMTP protocol (SASL authentication) - Postfix
  3. Block an attack on the IMAP / POP3 protocol - Courier
  4. Block an attack on webmail RoundCube
  5. Block an attack on the HTTP / HTTPS protocol - Apache
  6. Block an attack on the FTP protocol - ProFTPD
  7. Block DDoS attack with No More DDOS

1. Block an IP address or an IP range with Iptables

To block a hacker, you need to block its IP address in the firewall on your Linux server.
For this, we will use iptables to block incoming traffic from the IP address "xx.xx.xx.xx" (where xx.xx.xx.xx is the IP address of the hacker).

Code : Bash

iptables -I INPUT -s xx.xx.xx.xx -j DROP

If the hacker uses an IP range (for example : 10.0.0.10, 10.0.0.11, 10.0.0.12, ... 10.0.0.20), simply use this command :

Code : Bash

iptables -I INPUT -m iprange --src-range 10.0.0.10-10.0.0.20 -j DROP

If you want to block the outgoing connection (your server => other servers) to an IP range, use the "--dst-range" parameter instead of the "--src-range" parameter.
Thus, your server will no longer be able to send data to this IP range.

Code : Bash

iptables -I INPUT -m iprange --dst-range 10.0.0.10-10.0.0.20 -j DROP

 

2. Block an attack on the SMTP protocol (SASL authentication) - Postfix

When you secure a mail server, you enable SASL authentication on it to prevent anyone uses your mail server. So, users are forced to authenticate themselves through SASL in order to send mails. Which avoids to blacklist your server on other mail servers because hackers can not use it to send spams.
Because a secure mail server is protected by an authentication, hackers are trying to find credentials of one of your email accounts with a bruteforce attack. In summary, hackers try a list of credentials like "info@your-domain.com", "contact@your-domain.com", "webmaster@your-domain.com" ... with passwords as "1234", "home" ... or words in the dictionary.

Of course, all these attempts to authenticate on your server are stored in log files.

To list email addresses that the hacker tried to hack, you must list the lines of the "/var/log/auth.log" file, by searching the "auth failure" pattern.

Code : Bash

grep "auth failure" /var/log/auth.log

It will display something similar to this :

Code : Plain Text

Month Day xx:xx:xx Server name saslauthd[xxxx]: do_auth         : auth failure: [user=account@domain.com] [service=smtp] [realm=domain.com] [mech=pam] [reason=PAM auth error]

To list IP addresses used for these attacks, you must list the lines of the "/var/log/mail.log" file, by searching the "SASL LOGIN authentication failed" pattern.

Code : Bash

grep "SASL LOGIN authentication failed" /var/log/mail.log

It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the attacker.

Code : Plain Text

Month Day xx:xx:xx Server name postfix/smtpd[xxxxx]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: authentication failure

 

For users of "Logwatch", you will see lines like these in the reports that you will receive by mail:

Code : Plain Text

 SASL Authentications failed xx Time(s)
 Service smtp (pam) - xx Time(s):
 Realm domain.com - xx Time(s):
 User: account@domain.com - PAM auth error - xx Time(s):

With this information, you know that a hacker tried these credentials on your server. However, you don't have his IP address to block it. To find his IP address, refer to the section above.
To install and configure "Logwatch", refer to our tutorial : Debian / Ubuntu - Detect attacks made against your server with Logwatch

Finally, block the hacker by typing this command :

Code : Bash

iptables -I INPUT -s xx.xx.xx.xx -j DROP

 

3. Block an attack on the IMAP / POP3 protocol - Courier

When you configure a complete mail server, you install several things :

  • The mail server (usually Postfix)
  • The SMTP protocol for sending emails (built into Postfix)
  • A webmail (web interface to read his emails)
  • IMAP and / or POP3 protocols

IMAP and POP3 protocols used to access his emails with an email client. When you install these protocols, you must allow everyone for the following ports: IMAP (143), IMAPS (993), POP3 (110) and POP3S (995). This allows you to check your mails from any computer, smartphone, ... and from anywhere. It also allows anyone (including hackers) to connect to these ports to perform a bruteforce attack.

To list IP addresses used for these attacks, you must list the lines of the "/var/log/mail.log" file, by searching the "LOGIN FAILED" pattern.

Code : Bash

grep "LOGIN FAILED" /var/log/mail.log

It will display something similar to this :
Note :
- Note that this file contains the history of the POP3 server (pop3d) and the IMAP server (imapd).
- xx.xx.xx.xx is the IP address of the hacker. If a hacker tries to connect using your webmail, the IP address will be "127.0.0.1" or the IP address of your server. In this case, don't block this IP address, otherwise the webmail will be unusable.

Code : Plain Text

Month Day xx:xx:xx Server name pop3d: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]
Month Day xx:xx:xx Server name imapd: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]

Same if the hacker connects via these protocols secured by SSL (So : POP3S and IMAPS) :

Code : Plain Text

Month Day xx:xx:xx Server name pop3d-ssl: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]
Month Day xx:xx:xx Server name imapd-ssl: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]

 

For users of "Logwatch", you will see lines like these in the reports that you will receive by mail :

Code : Plain Text

 --------------------- IMAP Begin ------------------------
 
 [IMAPd] Logout stats:
 ====================
                                    User | Logouts | Downloaded |  Mbox Size
 --------------------------------------- | ------- | ---------- | ----------
                      account@domain.com |       x |       xxxx |          x
 ---------------------------------------------------------------------------
                                                 x |       xxxx |          x

 **Unmatched Entries**
    Failed to connect to socket /tmp/fam-vmail-: x Time(s)
    LOGIN FAILED, method=PLAIN, ip=[::ffff:xx.xx.xx.xx]: x Time(s)
    LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]: x Time(s) ---------------------- IMAP End ------------------------- --------------------- POP-3 Begin ------------------------ [POP3] Login failures: ========================= Host (user) | # ------------------------------------------------------------- | ----------- xx.xx.xx.xx (account@domain.com) | x --------------------------------------------------------------------------- x ---------------------- POP-3 End -------------------------

With this information, you will know IP addresses of hackers for "POP3" or "IMAP" protocols.

Finally, block the hacker by typing this command :

Code : Bash

iptables -I INPUT -s xx.xx.xx.xx -j DROP

 

4. Block an attack on webmail RoundCube

If a hacker or a malicious person tries to hack one of your email accounts by using your webmail, you must look in the webmail log and not in the IMAP server log.
The reason is simple : the hacker connects to the webmail, and the webmail connects to the imap server. So, you will find only the IP address of the webmail in the IMAP server log.

For the webmail "RoundCube" (which is a professional webmail used by OVH, LWS and other webhost), simply list the lines of the "<RoundCube folder>/logs/errors" file, by searching the "Login failed" pattern.

Code : Bash

grep "Login failed" <RoundCube folder>/logs/errors

It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker.

Code : Plain Text

[Day-Month-Year xx:xx:xx +0200]: <xxxxxxxx> IMAP Error: Login failed for account@domain.com from xx.xx.xx.xx. Could not connect to ssl://imap.domaine.com:993: Connection refused in <RoundCube folder>/program/lib/Roundcube/rcube_imap.php on line 198 (POST /?_task=mail&_action=refresh?_task=&_action=)

Finally, block the hacker by typing this command :

Code : Bash

iptables -I INPUT -s xx.xx.xx.xx -j DROP

 

5. Block an attack on the HTTP / HTTPS protocol - Apache

A web server can also receive an attack.
Hackers attack a web server for several reasons :

  1. inject malicious code into the apache memory (the most famous Linux web server). What is called a "exploit".
  2. attempt to access to administration pages on the server.
  3. make a server or a website unreachable with a DDOS attack

In the first 2 cases, it's possible to block attacks the hacker.
In the last case, you must use a reverse proxy or a hardware router (like a Cisco router) to be able to block or mitigate the effects of the DDOS attack.

5.1. Block malicious code injections

For this type of attack, there are two operations to be performed :

  1. First: Update the web server (Apache) and the "PHP" module (which allows to create dynamic pages) and its extensions.
  2. Then, block IP addresses of hackers who made these attacks

To detect these attacks, just check the "/var/log/apache2/error.log" file.
Note : the command "tail" allows you to display the xx last lines of the file specified as a parameter.

Code : Bash

tail -n xx /var/log/apache2/error.log

The attacks "exploits" (using a flaw of a program), if any, are similar to this :
Note : for safety, we have voluntarily truncated those lines.

Code : Plain Text

[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/cgi-sys, referer: () { :;} ;echo;/usr/local/bin...
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/cgi-mod, referer: () { :;} ;echo;/usr/local/bin...
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/cgi-bin-sdb, referer: () { :;} ;echo;/usr/local/bin...
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/, referer: () { :;} ;echo;/usr/local/bin...
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/, referer: () { :;}; /bin/bash...

5.2. Block attempts to access administrative pages

The attempts to access administrative pages are easy to identify.
These lines always contain the default addresses of the CMS administration pages.
Here are several examples of attacks received on our web server.

The website administration :

Code : Plain Text

[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/admin
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/administration

phpMyadmin that allows you to manage your MySQL database from a web interface programmed in PHP :

Code : Plain Text

[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phpMyAdmin
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phpMyAdmin-4.2.1-all-languages
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phpMyAdmin-4.2.1-english
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/pma

MySQLDumper (similar to phpMyAdmin) :

Code : Plain Text

[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/mysql
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/MySQLDumper

phpPgAdmin (similar to phpMyAdmin but for PostgreSQL) :

Code : Plain Text

[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phppgadmin

Wordpress :

Code : Plain Text

[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/wp-admin.php
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/wp-login.php

Common Gateway Interface (CGI) is a standard method used to generate dynamic content on Web pages and Web applications. CGI, when implemented on a Web server, provides an interface between the Web server and programs that generate the Web content.
Definition of wikipedia.
Because we have deleted this alias, these attacks are useless and leave traces in the log file.

Code : Plain Text

[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/cgi-bin

And many others :

Code : Plain Text

[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /ftpmanager
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /ftpmanager
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /xmlrpc.php
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: .../trackback
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /www.domaine.com.sql

For "Logwatch" users, you will see lines like these in the reports that you receive by mail :

Code : Plain Text

 --------------------- httpd Begin ------------------------
 
 A total of xx sites probed the server
    xx.xx.xx.xx
    xx.xx.xx.xx
    
 Requests with error response codes
    400 Bad Request
       /a-bad-request.html: x Time(s)
    401 Unauthorized
       /a-restricted-page.php: x Time(s)
    404 Not Found
       /a-not-found-page.html: x Time(s)
    405 Method Not Allowed
       /a-not-allowed-method.jpg: x Time(s)
    408 Request Timeout
       null: x Time(s)
    500 Internal Server Error
       /: 1 Time(s)
    501 Not Implemented
       /: x Time(s)
 
 ---------------------- httpd End -------------------------

With this information, you will easily detect the attacks mentioned above (with the number of tests: x Time (s)). However, you don't have its IP address to block it. To find his or her IP address, refer to the section above.
In addition, the report will show the list of IP addresses that are connected at least once to your server (by default : for the previous day). If you see multiple IP addresses that has the same beginning (eg xx.xx.xx.10, xx.xx.xx.11, xx.xx.xx.12, ...), it is a Crawler (or Bot) or a hacker using multiple IP addresses of the same network.
Pour le savoir, cherchez l'adresse IP (ou le début de cette adresse IP) dans le fichier "/var/log/apache2/access.log".
Attention : Ne bloquez pas les robots de Google, Bing, Yahoo, Msn, ... sinon votre site disparaitra des moteurs de recherche. Étant donné que les robots de Google et autres n'auront plus accès à votre serveur, ils considéreront que le site web n'existe plus. Si vous utilisez les outils "Google Webmasters", "Bing - Webmaster Tools", ... vous recevrez peut-être une alerte de leur part. (c'est le cas pour Google Webmasters).
To determine if it is a crawler or a pirate, find the IP address (or the beginning of the IP address) in the "/var/log/apache2/access.log" file.
Warning : Don't block Google, Bing, Yahoo, Msn, ... bots, otherwise your website will disappear from search engines. Because Google bots and others no longer have access to your server, they will consider that the website no longer exists. If you use "Google Webmasters", " Bing - Webmaster Tools ", ... tools, you may receive a warning from them. (this is the case for Google Webmasters).

Code : Bash

grep "xx.xx.xx.xx" /var/log/apache2/access.log

Finally, block the hacker by typing this command :

Code : Bash

iptables -I INPUT -s xx.xx.xx.xx -j DROP

 

5.3. DDOS attacks

If a hacker launches a DDOS attack against your server, there are three possible solutions to protect yourself :
- Use a Nginx server in Reverse Proxy. In this case : Nginx is accessible from the Internet but your standard server is accessible only by the Nginx server. Thus, it is possible to block or mitigate the effects of a DDOS attacks launched against your server. If the DDOS attack is too great, this solution will not suffice.
- Use a hardware router (like a Cisco router) to be able to block DDOS attack. This is a solution used by web hosts or companies like Google, Facebook, ...
- Mitigate the DDoS attack by redirecting the flow in different networks with very high bandwidth to detect which queries are legitimate and which ones are not. Then, hackers are blocked, and the real visitors can re-access the server without this transparent redirection. Example of anti-OVH DDOS protection : What is anti-DDoS protection ?

 

6. Block an attack on the FTP protocol - ProFTPD

To retrieve the IP addresses of hackers, just check the "/var/log/proftpd/proftpd.log" file.

Either, the hacker tries to find the password of an existing account. In this case, looking for the "Incorrect password" pattern.

Code : Bash

grep "Incorrect password" /var/log/proftpd/proftpd.log

It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker.

Code : Plain Text

Month Day xx:xx:xx vpsxxxxxx.webhost.com proftpd[8516] your-domain.com (reverse-dns[xx.xx.xx.xx]): USER existing-account (Login failed): Incorrect password.

Either, the hacker tries to find the password of an account that doesn't exist. In this case, looking for the "No such user found" pattern.

Code : Bash

grep "no such user found" /var/log/proftpd/proftpd.log

It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker. yy.yy.yy.yy is the IP address of your server.

Code : Plain Text

Month Day xx:xx:xx vpsxxxxxx.webhost.com proftpd[8426] your-domain.com (reverse-dns[xx.xx.xx.xx]): USER nonexistent-account: no such user found from reverse-dns [xx.xx.xx.xx] to ::ffff:yy.yy.yy.yy

Either, the hacker tries to log in as root. In this case, looking for the "Attempted root login" pattern.

Code : Bash

grep "root login attempted" /var/log/proftpd/proftpd.log

It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker.

Code : Plain Text

Month Day xx:xx:xx vpsxxxxxx.webhost.com proftpd[8477] your-domain.com (reverse-dns[xx.xx.xx.xx]): SECURITY VIOLATION: root login attempted.

Finally, block the hacker by typing this command :

Code : Bash

iptables -I INPUT -s xx.xx.xx.xx -j DROP

7. Block DDoS attack with No More DDOS

To install "No More DDOS", refer to our tutorial : Debian / Ubuntu / CentOs - Block DDOS attacks with No More DDOS (formerly : DDoS Deflate)