Realised the second after I pressed the send button that the answer to
the ban issue is because those attacks are on ip v6
root@bitfolk:/etc/fail2ban# netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 1 85.119.82.79:80 121.168.45.218:1446 FIN_WAIT1
tcp6 0 1 85.119.82.79:80 24.186.158.213:61301 FIN_WAIT1
tcp6 0 1 85.119.82.79:80 67.180.245.251:17277
FIN_WAIT1
tcp6 0 1 85.119.82.79:80 71.218.243.152:25311 FIN_WAIT1
Now, I have to figure out how to turn IP v6 off on the vps then...
__
/ony
-------
Tuesday, December 31, 2013, 12:11:34 AM, Tony wrote:
> Hi all,
> Have a strange attack happening to one of my domains, on the web
> server. It is a small privatish phpBB forum with nothing exciting,
> interesting or valuable going on at all. And it is the only one
> attacked out of a handful web sites on the server.
> The site has had a lot of incorrect requests to the server since
> before Christmas. I
get POST requests in the region of two per second.
> There's noting in the post request and it is to the root of the
> domain. Like this:
> 184.57.181.141 - - [30/Dec/2013:23:32:24 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 108.205.136.80 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 68.118.233.245 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 173.51.226.12 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 71.10.0.254 - - [30/Dec/2013:23:32:27 +0000] "POST / HTTP/1.1"
301
> - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 75.91.250.137 - - [30/Dec/2013:23:32:29 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 108.200.239.239 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 64.40.129.122 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 128.210.19.134 - - [30/Dec/2013:23:32:32 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 12.51.89.194 - - [30/Dec/2013:23:32:33 +0000] "POST / HTTP/1.1" 301
> - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)"
> 184.57.181.141 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 208.96.191.152 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 70.190.134.120 - - [30/Dec/2013:23:32:37 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> The 301 response is something I set up when I discovered this. There
> should be no POST requests to /, so I do a 301 permanent redirect back
> to the client's own IP address. But that seems to have had no effect
> at all. The requests are still constantly coming in.
> I have set up a filter in
fail2ban for anyone POSTing to '/' so they
> should be completely banned (using action 'iptables-allports'). But
> due to the sheer amount of different addresses attacking it seems to
> have little effect. Plus the fact I quite often see this in the
> fail2ban log:
> 2013-12-30 23:38:33,080 fail2ban.actions: WARNING [http-ddos] 37.142.202.18 already banned
> So it seems that despite being banned they can still send a request to
> the Apache server? Not sure why, the iptables -L seems to list an
> awful lot of IP addresses and domain names. So the fail2ban filter is
> working as it should with setting up rules in iptables.
> At the same time, postfix is getting a large amount of requests on
> port 25 too:
> Dec 30 23:54:45 bitfolk postfix/smtpd[14601]: connect from unknown[180.67.178.14]
> Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: lost connection after
> UNKNOWN from unknown[76.2.133.225]
> Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: disconnect from unknown[76.2.133.225]
> Dec 30 23:54:48 bitfolk postfix/smtpd[27968]: connect from unknown[24.151.82.226]
> Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: lost connection after
> UNKNOWN from unknown[173.220.57.214]
> Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: disconnect from unknown[173.220.57.214]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: lost connection after
> UNKNOWN from unknown[72.135.3.145]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: disconnect from
unknown[72.135.3.145]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: lost connection after
> UNKNOWN from unknown[173.246.215.147]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: disconnect from unknown[173.246.215.147]
> Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: lost connection after
> UNKNOWN from unknown[180.67.178.14]
> Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: disconnect from unknown[180.67.178.14]
> And in the mail.warn log:
> Dec 30 23:10:15 bitfolk postfix/smtpd[19391]: warning: non-SMTP
> command from unknown[96.38.26.186]: UY:l??????????z??????\?
> Dec 30 23:11:22 bitfolk postfix/smtpd[17880]: warning: non-SMTP
> command from unknown[181.67.172.79]: U:??[6?
> Dec 30 23:14:46
bitfolk postfix/smtpd[19522]: warning: non-SMTP
> command from unknown[24.39.251.34]:
> @:??>T^R^?d???&U?V<??;W?p4?Gf#???t????,???E?
> Dec 30 23:16:57 bitfolk postfix/smtpd[24688]: warning: non-SMTP
> command from unknown[72.181.54.101]: gu:?R?M????
> I can only conclude this is sent to the same domain name as is
> attacked on port 80...
> Now I am worried all this will consume up my bandwidth allowance (as
> well as eating into system resources of course), and I have run out of ideas how
> to stop this. Any suggestions are most welcome!
> Thanks,
> __
> /ony
>
_______________________________________________
> users mailing list
>
users@lists.bitfolk.com>
https://lists.bitfolk.com/mailman/listinfo/users