Hello,
Here's some information that those of you using your VPSes to handle
email may be interested in:
https://github.com/antibodyMX/communicado
If you're not interested in receiving such emails from Communicado
then the information there should help you, and please do consider
contributing to the effort if you're able.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
As you may be aware, massive distributed denial of service attacks
have been mounted over the last couple of weeks by sending forged
administrative queries to public NTP servers.
A favourite query in use is "monlist", which results in a constant
stream of data being returned from the NTP server to the victim
host.
While we have no evidence that any BitFolk VPS has so far been used
in such an attack, we are going to take some pre-emptive action to
minimise the risk.
As there is no need to allow these administrative queries from the
entire Internet, we now require these to be disabled by default and
only allowed from specified trusted hosts. This has always been the
configuration provided to you on provisioning of your VPS, so only
those who have changed their ntpd configuration would have
re-enabled administrative queries.
Disabling administrative queries is normally achieved by using the
"noquery" option in the "restrict" lines. This setting does not
disallow time synchronisation.
For more information please see:
https://tools.bitfolk.com/wiki/Securing_NTP
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
Unfortunately due to what looks like a kernel bug, sol.bitfolk.com
has got stuck in a state where VPSes cannot be booted. I therefore
need to reboot it as a matter of urgency, so those with VPSes hosted
on sol are shortly going to see a clean shutdown and boot.
I apologise for the disruption and I hope to be able to give more
information later. I will follow up again when all customr VPSes
are known to have booted.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi all,
Have a strange attack happening to one of my domains, on the web
server. It is a small privatish phpBB forum with nothing exciting,
interesting or valuable going on at all. And it is the only one
attacked out of a handful web sites on the server.
The site has had a lot of incorrect requests to the server since
before Christmas. I get POST requests in the region of two per second.
There's noting in the post request and it is to the root of the
domain. Like this:
184.57.181.141 - - [30/Dec/2013:23:32:24 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
108.205.136.80 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
68.118.233.245 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
173.51.226.12 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
71.10.0.254 - - [30/Dec/2013:23:32:27 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
75.91.250.137 - - [30/Dec/2013:23:32:29 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
108.200.239.239 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.40.129.122 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
128.210.19.134 - - [30/Dec/2013:23:32:32 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
12.51.89.194 - - [30/Dec/2013:23:32:33 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
184.57.181.141 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
208.96.191.152 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
70.190.134.120 - - [30/Dec/2013:23:32:37 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
The 301 response is something I set up when I discovered this. There
should be no POST requests to /, so I do a 301 permanent redirect back
to the client's own IP address. But that seems to have had no effect
at all. The requests are still constantly coming in.
I have set up a filter in fail2ban for anyone POSTing to '/' so they
should be completely banned (using action 'iptables-allports'). But
due to the sheer amount of different addresses attacking it seems to
have little effect. Plus the fact I quite often see this in the
fail2ban log:
2013-12-30 23:38:33,080 fail2ban.actions: WARNING [http-ddos] 37.142.202.18 already banned
So it seems that despite being banned they can still send a request to
the Apache server? Not sure why, the iptables -L seems to list an
awful lot of IP addresses and domain names. So the fail2ban filter is
working as it should with setting up rules in iptables.
At the same time, postfix is getting a large amount of requests on
port 25 too:
Dec 30 23:54:45 bitfolk postfix/smtpd[14601]: connect from unknown[180.67.178.14]
Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: lost connection after UNKNOWN from unknown[76.2.133.225]
Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: disconnect from unknown[76.2.133.225]
Dec 30 23:54:48 bitfolk postfix/smtpd[27968]: connect from unknown[24.151.82.226]
Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: lost connection after UNKNOWN from unknown[173.220.57.214]
Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: disconnect from unknown[173.220.57.214]
Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: lost connection after UNKNOWN from unknown[72.135.3.145]
Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: disconnect from unknown[72.135.3.145]
Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: lost connection after UNKNOWN from unknown[173.246.215.147]
Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: disconnect from unknown[173.246.215.147]
Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: lost connection after UNKNOWN from unknown[180.67.178.14]
Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: disconnect from unknown[180.67.178.14]
And in the mail.warn log:
Dec 30 23:10:15 bitfolk postfix/smtpd[19391]: warning: non-SMTP command from unknown[96.38.26.186]: UY:l??????????z??????\?
Dec 30 23:11:22 bitfolk postfix/smtpd[17880]: warning: non-SMTP command from unknown[181.67.172.79]: U:??[6?
Dec 30 23:14:46 bitfolk postfix/smtpd[19522]: warning: non-SMTP command from unknown[24.39.251.34]: @:??>T^R^?d???&U?V<??;W?p4?Gf#???t????,???E?
Dec 30 23:16:57 bitfolk postfix/smtpd[24688]: warning: non-SMTP command from unknown[72.181.54.101]: gu:?R?M????
I can only conclude this is sent to the same domain name as is
attacked on port 80...
Now I am worried all this will consume up my bandwidth allowance (as
well as eating into system resources of course), and I have run out of ideas how
to stop this. Any suggestions are most welcome!
Thanks,
__
/ony
Hi,
I'd like to revisit a topic that has never really been resolved -
what to do when someone goes past the limit of their backup space.
When I say backups I'm talking about the backups service as
described here:
https://bitfolk.com/customer_information.html#toc_2_Local_backups
It's by no means an awesome service - I recognise that everyone has
their own preferred methods of doing backups and there's no way to
please everyone - but it is taken advantage of by 38 people at
present.
The way it works currently with regard to disk usage is:
- A backup job runs
- Disk usage is calculated and the usage is recorded in a database
- Nagios sends warnings when that usage goes above 95%, sends
critical alerts if it goes above 100%
- Backups keep on running anyway
- Both I and the customer see those Nagios alerts
So, let's say someone goes above 100% usage. Here's what I tend to
do:
- Leave it for a bit to see if the usage starts going down. If it
does then it will probably go below 100% again as the customer
fixed whatever got backed up that shouldn't
- If it keeps going upwards or is so far beyond 100% that it would
take ages to drop, then I open a ticket with the customer asking
them what they want to do.
- Most of the time I get no reply, so assuming the overage is only
small I wait a week or two before asking them to respond.
- Eventually I do get a response and it will usually be a request
for one of two things:
a. Buy more disk space for backups, or
b. Go into the backups and delete every instance of some directory
that should never have been backed up
I really, really dislike doing (b) because I don't want to mess
about in customer files, I might make a mistake, I might see things
I don't want to see, etc. But I will do it if the customer insists.
As you can probably see, all of this is quite a hassle to resolve.
Basically I don't want to be sending emails and deleting files by
hand.
I can think of a couple of ways to reduce the hassle, and I was
wondering if any of you who currently take advantage of the backups
have any thoughts on this:
1. I could stop providing the local backups service.
38 people isn't a huge amount, and it probably won't be a big
hardship to find other backup strategies. Most other solutions
are quite complex and in these days of "unlimited backup space"
that many services offer, maybe I should just not bother?
2. When the customer goes over 100% I could automatically add disk
space to cover the usage, and invoice them.
2a. Like (2) but just leave it a couple of weeks before doing that,
to give them chance to fix it first.
3. Something else?
What are your thoughts on (2)? Or any further suggestions?
Would you need any modification to the alerting settings before this
would be acceptable?
Note that although "just suspend the customer's backups as soon as
they go past 100%" initially sounds like a good idea, it may not be
as it prevents the customer from removing whatever it was they
backed up that they didn't mean to, i.e. fixing it themselves.
Would (2) be more workable if there was some mechanism for the
customer to go in and delete stuff from the backups in the space of
time they have before they will actually get invoiced?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"I am the permanent milk monitor of all hobbies!" — Simon Quinlank
Hi,
Our colo provider had scheduled some routine maintenance for this
evening which was supposed to be non-disruptive, but it appears that
something went wrong and so as of about 2331 there have been
intermittent network issues.
They are aware of it and are busy working on it. I will follow up
again when there is more info and/or resolution.
Apologies for the disruption.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
As is now customary, we should do Christmas drinks in London in
December. If you'd be up for that please help pick a date:
http://doodle.com/pikxiyyyknydnaay
Everyone welcome, partners too.
I'll give it about a week and then I'll try to book a table on the
most popular date at The Phoenix:
http://www.phoenixcavendishsquare.co.uk/
If that doesn't work out then I'll try places we've tried before
(The Cask, De Hems, The Horse).
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
For all those slackers who were waiting for the option, there is an
updated document in the wiki.
https://tools.bitfolk.com/wiki/Installing_Slackware_14.1
It shows how to install slackware 14.1 (32bit) onto a bitfolk vps. It
uses a simplified partition format (ext3) and hopefully a greatly
simplified procedure (originally based on
https://tools.bitfolk.com/wiki/Installing_Slackware - many thanks for
the good work there.)
It isn't supported by bitfolk, but at least it works (tested on my own vps).
regards, Tim
