If you have previously managed an online server (either a dedicated server or a VPS), you may have noticed that hackers attack every day the servers accessible from the Internet. To block a hacker, nothing simpler. Simply block its IP address in the firewall on your server. Most often, this method will work. The exception being the use of a Botnet (in this case :. A multitude of IP addresses will be found in your history (logs) and you can't block this hacker. If you block these IP addresses, you may block one of your viewers infected by a virus (a botnet client).
To protect against hackers, there are 3 steps :
To block a hacker, you need to block its IP address in the firewall on your Linux server.
For this, we will use iptables to block incoming traffic from the IP address "xx.xx.xx.xx" (where xx.xx.xx.xx is the IP address of the hacker).
Bash
iptables -I INPUT -s xx.xx.xx.xx -j DROP
If the hacker uses an IP range (for example : 10.0.0.10, 10.0.0.11, 10.0.0.12, ... 10.0.0.20), simply use this command :
Bash
iptables -I INPUT -m iprange --src-range 10.0.0.10-10.0.0.20 -j DROP
If you want to block the outgoing connection (your server => other servers) to an IP range, use the "--dst-range" parameter instead of the "--src-range" parameter.
Thus, your server will no longer be able to send data to this IP range.
Bash
iptables -I INPUT -m iprange --dst-range 10.0.0.10-10.0.0.20 -j DROP
When you secure a mail server, you enable SASL authentication on it to prevent anyone uses your mail server. So, users are forced to authenticate themselves through SASL in order to send mails. Which avoids to blacklist your server on other mail servers because hackers can not use it to send spams.
Because a secure mail server is protected by an authentication, hackers are trying to find credentials of one of your email accounts with a bruteforce attack. In summary, hackers try a list of credentials like "info@your-domain.com", "contact@your-domain.com", "webmaster@your-domain.com" ... with passwords as "1234", "home" ... or words in the dictionary.
Of course, all these attempts to authenticate on your server are stored in log files.
To list email addresses that the hacker tried to hack, you must list the lines of the "/var/log/auth.log" file, by searching the "auth failure" pattern.
Bash
grep "auth failure" /var/log/auth.log
It will display something similar to this :
Plain Text
Month Day xx:xx:xx Server name saslauthd[xxxx]: do_auth : auth failure: [user=account@domain.com] [service=smtp] [realm=domain.com] [mech=pam] [reason=PAM auth error]
To list IP addresses used for these attacks, you must list the lines of the "/var/log/mail.log" file, by searching the "SASL LOGIN authentication failed" pattern.
Bash
grep "SASL LOGIN authentication failed" /var/log/mail.log
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the attacker.
Plain Text
Month Day xx:xx:xx Server name postfix/smtpd[xxxxx]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: authentication failure
For users of "Logwatch", you will see lines like these in the reports that you will receive by mail:
Plain Text
SASL Authentications failed xx Time(s) Service smtp (pam) - xx Time(s): Realm domain.com - xx Time(s): User: account@domain.com - PAM auth error - xx Time(s):
With this information, you know that a hacker tried these credentials on your server. However, you don't have his IP address to block it. To find his IP address, refer to the section above.
To install and configure "Logwatch", refer to our tutorial : Debian / Ubuntu - Detect attacks made against your server with Logwatch
Finally, block the hacker by typing this command :
Bash
iptables -I INPUT -s xx.xx.xx.xx -j DROP
When you configure a complete mail server, you install several things :
IMAP and POP3 protocols used to access his emails with an email client. When you install these protocols, you must allow everyone for the following ports: IMAP (143), IMAPS (993), POP3 (110) and POP3S (995). This allows you to check your mails from any computer, smartphone, ... and from anywhere. It also allows anyone (including hackers) to connect to these ports to perform a bruteforce attack.
To list IP addresses used for these attacks, you must list the lines of the "/var/log/mail.log" file, by searching the "LOGIN FAILED" pattern.
Bash
grep "LOGIN FAILED" /var/log/mail.log
It will display something similar to this :
Note :
- Note that this file contains the history of the POP3 server (pop3d) and the IMAP server (imapd).
- xx.xx.xx.xx is the IP address of the hacker. If a hacker tries to connect using your webmail, the IP address will be "127.0.0.1" or the IP address of your server. In this case, don't block this IP address, otherwise the webmail will be unusable.
Plain Text
Month Day xx:xx:xx Server name pop3d: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx] Month Day xx:xx:xx Server name imapd: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]
Same if the hacker connects via these protocols secured by SSL (So : POP3S and IMAPS) :
Plain Text
Month Day xx:xx:xx Server name pop3d-ssl: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx] Month Day xx:xx:xx Server name imapd-ssl: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]
For users of "Logwatch", you will see lines like these in the reports that you will receive by mail :
Plain Text
--------------------- IMAP Begin ------------------------ [IMAPd] Logout stats: ==================== User | Logouts | Downloaded | Mbox Size --------------------------------------- | ------- | ---------- | ---------- account@domain.com | x | xxxx | x --------------------------------------------------------------------------- x | xxxx | x
**Unmatched Entries**
Failed to connect to socket /tmp/fam-vmail-: x Time(s)
LOGIN FAILED, method=PLAIN, ip=[::ffff:xx.xx.xx.xx]: x Time(s)
LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]: x Time(s) ---------------------- IMAP End ------------------------- --------------------- POP-3 Begin ------------------------ [POP3] Login failures: ========================= Host (user) | # ------------------------------------------------------------- | ----------- xx.xx.xx.xx (account@domain.com) | x --------------------------------------------------------------------------- x ---------------------- POP-3 End -------------------------
With this information, you will know IP addresses of hackers for "POP3" or "IMAP" protocols.
Finally, block the hacker by typing this command :
Bash
iptables -I INPUT -s xx.xx.xx.xx -j DROP
If a hacker or a malicious person tries to hack one of your email accounts by using your webmail, you must look in the webmail log and not in the IMAP server log.
The reason is simple : the hacker connects to the webmail, and the webmail connects to the imap server. So, you will find only the IP address of the webmail in the IMAP server log.
For the webmail "RoundCube" (which is a professional webmail used by OVH, LWS and other webhost), simply list the lines of the "<RoundCube folder>/logs/errors" file, by searching the "Login failed" pattern.
Bash
grep "Login failed" <RoundCube folder>/logs/errors
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker.
Plain Text
[Day-Month-Year xx:xx:xx +0200]: <xxxxxxxx> IMAP Error: Login failed for account@domain.com from xx.xx.xx.xx. Could not connect to ssl://imap.domaine.com:993: Connection refused in <RoundCube folder>/program/lib/Roundcube/rcube_imap.php on line 198 (POST /?_task=mail&_action=refresh?_task=&_action=)
Finally, block the hacker by typing this command :
Bash
iptables -I INPUT -s xx.xx.xx.xx -j DROP
A web server can also receive an attack.
Hackers attack a web server for several reasons :
In the first 2 cases, it's possible to block attacks the hacker.
In the last case, you must use a reverse proxy or a hardware router (like a Cisco router) to be able to block or mitigate the effects of the DDOS attack.
For this type of attack, there are two operations to be performed :
To detect these attacks, just check the "/var/log/apache2/error.log" file.
Note : the command "tail" allows you to display the xx last lines of the file specified as a parameter.
Bash
tail -n xx /var/log/apache2/error.log
The attacks "exploits" (using a flaw of a program), if any, are similar to this :
Note : for safety, we have voluntarily truncated those lines.
Plain Text
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/cgi-sys, referer: () { :;} ;echo;/usr/local/bin... [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/cgi-mod, referer: () { :;} ;echo;/usr/local/bin... [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/cgi-bin-sdb, referer: () { :;} ;echo;/usr/local/bin... [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/, referer: () { :;} ;echo;/usr/local/bin... [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/, referer: () { :;}; /bin/bash...
The attempts to access administrative pages are easy to identify.
These lines always contain the default addresses of the CMS administration pages.
Here are several examples of attacks received on our web server.
The website administration :
Plain Text
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/admin [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/administration
phpMyadmin that allows you to manage your MySQL database from a web interface programmed in PHP :
Plain Text
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phpMyAdmin [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phpMyAdmin-4.2.1-all-languages [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phpMyAdmin-4.2.1-english [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/pma
MySQLDumper (similar to phpMyAdmin) :
Plain Text
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/mysql [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/MySQLDumper
phpPgAdmin (similar to phpMyAdmin but for PostgreSQL) :
Plain Text
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phppgadmin
Wordpress :
Plain Text
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/wp-admin.php [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/wp-login.php
Common Gateway Interface (CGI) is a standard method used to generate dynamic content on Web pages and Web applications. CGI, when implemented on a Web server, provides an interface between the Web server and programs that generate the Web content.
Definition of wikipedia.
Because we have deleted this alias, these attacks are useless and leave traces in the log file.
Plain Text
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/cgi-bin
And many others :
Plain Text
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /ftpmanager [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /ftpmanager [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /xmlrpc.php [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: .../trackback [Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /www.domaine.com.sql
For "Logwatch" users, you will see lines like these in the reports that you receive by mail :
Plain Text
--------------------- httpd Begin ------------------------ A total of xx sites probed the server xx.xx.xx.xx xx.xx.xx.xx Requests with error response codes 400 Bad Request /a-bad-request.html: x Time(s) 401 Unauthorized /a-restricted-page.php: x Time(s) 404 Not Found /a-not-found-page.html: x Time(s) 405 Method Not Allowed /a-not-allowed-method.jpg: x Time(s) 408 Request Timeout null: x Time(s) 500 Internal Server Error /: 1 Time(s) 501 Not Implemented /: x Time(s) ---------------------- httpd End -------------------------
With this information, you will easily detect the attacks mentioned above (with the number of tests: x Time (s)). However, you don't have its IP address to block it. To find his or her IP address, refer to the section above.
In addition, the report will show the list of IP addresses that are connected at least once to your server (by default : for the previous day). If you see multiple IP addresses that has the same beginning (eg xx.xx.xx.10, xx.xx.xx.11, xx.xx.xx.12, ...), it is a Crawler (or Bot) or a hacker using multiple IP addresses of the same network.
Pour le savoir, cherchez l'adresse IP (ou le début de cette adresse IP) dans le fichier "/var/log/apache2/access.log".
Attention : Ne bloquez pas les robots de Google, Bing, Yahoo, Msn, ... sinon votre site disparaitra des moteurs de recherche. Étant donné que les robots de Google et autres n'auront plus accès à votre serveur, ils considéreront que le site web n'existe plus. Si vous utilisez les outils "Google Webmasters", "Bing - Webmaster Tools", ... vous recevrez peut-être une alerte de leur part. (c'est le cas pour Google Webmasters).
To determine if it is a crawler or a pirate, find the IP address (or the beginning of the IP address) in the "/var/log/apache2/access.log" file.
Warning : Don't block Google, Bing, Yahoo, Msn, ... bots, otherwise your website will disappear from search engines. Because Google bots and others no longer have access to your server, they will consider that the website no longer exists. If you use "Google Webmasters", " Bing - Webmaster Tools ", ... tools, you may receive a warning from them. (this is the case for Google Webmasters).
Bash
grep "xx.xx.xx.xx" /var/log/apache2/access.log
Finally, block the hacker by typing this command :
Bash
iptables -I INPUT -s xx.xx.xx.xx -j DROP
If a hacker launches a DDOS attack against your server, there are three possible solutions to protect yourself :
- Use a Nginx server in Reverse Proxy. In this case : Nginx is accessible from the Internet but your standard server is accessible only by the Nginx server. Thus, it is possible to block or mitigate the effects of a DDOS attacks launched against your server. If the DDOS attack is too great, this solution will not suffice.
- Use a hardware router (like a Cisco router) to be able to block DDOS attack. This is a solution used by web hosts or companies like Google, Facebook, ...
- Mitigate the DDoS attack by redirecting the flow in different networks with very high bandwidth to detect which queries are legitimate and which ones are not. Then, hackers are blocked, and the real visitors can re-access the server without this transparent redirection. Example of anti-OVH DDOS protection : What is anti-DDoS protection ?
To retrieve the IP addresses of hackers, just check the "/var/log/proftpd/proftpd.log" file.
Either, the hacker tries to find the password of an existing account. In this case, looking for the "Incorrect password" pattern.
Bash
grep "Incorrect password" /var/log/proftpd/proftpd.log
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker.
Plain Text
Month Day xx:xx:xx vpsxxxxxx.webhost.com proftpd[8516] your-domain.com (reverse-dns[xx.xx.xx.xx]): USER existing-account (Login failed): Incorrect password.
Either, the hacker tries to find the password of an account that doesn't exist. In this case, looking for the "No such user found" pattern.
Bash
grep "no such user found" /var/log/proftpd/proftpd.log
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker. yy.yy.yy.yy is the IP address of your server.
Plain Text
Month Day xx:xx:xx vpsxxxxxx.webhost.com proftpd[8426] your-domain.com (reverse-dns[xx.xx.xx.xx]): USER nonexistent-account: no such user found from reverse-dns [xx.xx.xx.xx] to ::ffff:yy.yy.yy.yy
Either, the hacker tries to log in as root. In this case, looking for the "Attempted root login" pattern.
Bash
grep "root login attempted" /var/log/proftpd/proftpd.log
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker.
Plain Text
Month Day xx:xx:xx vpsxxxxxx.webhost.com proftpd[8477] your-domain.com (reverse-dns[xx.xx.xx.xx]): SECURITY VIOLATION: root login attempted.
Finally, block the hacker by typing this command :
Bash
iptables -I INPUT -s xx.xx.xx.xx -j DROP
To install "No More DDOS", refer to our tutorial : Debian / Ubuntu / CentOs - Block DDOS attacks with No More DDOS (formerly : DDoS Deflate)
Linux 9/12/2015
Linux 6/17/2015
Linux 10/5/2015
Linux 9/18/2016
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment