Hi Max, 

Thanks for the idea, but problem then would be that no-one can connect to any web site on the server, nor can anyone actually send legit e-mails to the domain.
I could just turn the vps off completely instead in that case... :-(

have turned off IP v6, and the attacks on port 25 seems to have eased off, but on port 80 they are still ongoing.

Cheers,
__
/ony
-------
Tuesday, December 31, 2013, 12:34:58 AM, Max wrote:




% cat >> /etc/hosts.deny
ALL: ALL except your.home.ip.here

might help, as might this:

% cat /var/log/apache2/access.log | awk '{printf "echo 'ALL: %s'>>/etc/hosts.deny\n",$1}' | /bin/sh 

this assumes you have installed tcpd

cheers




Le Mardi 31 décembre 2013 1h19, Tony Andersson <BitFolkList@tony-andersson.com> a écrit :
Realised the second after I pressed the send button that the answer to
the ban issue is because those attacks are on ip v6

root@bitfolk:/etc/fail2ban# netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State
tcp6      0      1 85.119.82.79:80        121.168.45.218:1446    FIN_WAIT1
tcp6      0      1 85.119.82.79:80        24.186.158.213:61301    FIN_WAIT1
tcp6      0      1 85.119.82.79:80        67.180.245.251:17277    FIN_WAIT1
tcp6      0      1 85.119.82.79:80        71.218.243.152:25311    FIN_WAIT1

Now, I have to figure out how to turn IP v6 off on the vps then...
__
/ony
-------
Tuesday, December 31, 2013, 12:11:34 AM, Tony wrote:

> Hi all,

> Have a strange attack happening to one of my domains, on the web
> server. It is a small privatish phpBB forum with nothing exciting,
> interesting  or  valuable  going  on  at all. And it is the only one
> attacked out of a handful web sites on the server.

> The site has had a lot of incorrect requests to the server since
> before Christmas. I get POST requests in the region of two per second.
> There's noting in the post request and it is to the root of the
> domain. Like this:
> 184.57.181.141 - - [30/Dec/2013:23:32:24 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 108.205.136.80 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 68.118.233.245 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 173.51.226.12 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 71.10.0.254 - - [30/Dec/2013:23:32:27 +0000] "POST / HTTP/1.1" 301
> - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 75.91.250.137 - - [30/Dec/2013:23:32:29 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 108.200.239.239 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 64.40.129.122 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 128.210.19.134 - - [30/Dec/2013:23:32:32 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 12.51.89.194 - - [30/Dec/2013:23:32:33 +0000] "POST / HTTP/1.1" 301
> - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 184.57.181.141 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 208.96.191.152 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
> 70.190.134.120 - - [30/Dec/2013:23:32:37 +0000] "POST / HTTP/1.1"
> 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

> The 301 response is something I set up when I discovered this. There
> should be no POST requests to /, so I do a 301 permanent redirect back
> to the client's own IP address. But that seems to have had no effect
> at all. The requests are still constantly coming in.

> I have set up a filter in fail2ban for anyone POSTing to '/' so they
> should be completely banned (using action 'iptables-allports'). But
> due to the sheer amount of different addresses attacking it seems to
> have little effect. Plus the fact I quite often see this in the
> fail2ban log:
> 2013-12-30 23:38:33,080 fail2ban.actions: WARNING [http-ddos] 37.142.202.18 already banned

> So it seems that despite being banned they can still send a request to
> the Apache server? Not sure why, the iptables -L seems to list an
> awful lot of IP addresses and domain names. So the fail2ban filter is
> working as it should with setting up rules in iptables.

> At the same time, postfix is getting a large amount of requests on
> port 25 too:

> Dec 30 23:54:45 bitfolk postfix/smtpd[14601]: connect from unknown[180.67.178.14]
> Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: lost connection after
> UNKNOWN from unknown[76.2.133.225]
> Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: disconnect from unknown[76.2.133.225]
> Dec 30 23:54:48 bitfolk postfix/smtpd[27968]: connect from unknown[24.151.82.226]
> Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: lost connection after
> UNKNOWN from unknown[173.220.57.214]
> Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: disconnect from unknown[173.220.57.214]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: lost connection after
> UNKNOWN from unknown[72.135.3.145]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: disconnect from unknown[72.135.3.145]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: lost connection after
> UNKNOWN from unknown[173.246.215.147]
> Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: disconnect from unknown[173.246.215.147]
> Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: lost connection after
> UNKNOWN from unknown[180.67.178.14]
> Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: disconnect from unknown[180.67.178.14]

> And in the mail.warn log:

> Dec 30 23:10:15 bitfolk postfix/smtpd[19391]: warning: non-SMTP
> command from unknown[96.38.26.186]: UY:l??????????z??????\?
> Dec 30 23:11:22 bitfolk postfix/smtpd[17880]: warning: non-SMTP
> command from unknown[181.67.172.79]: U:??[6?
> Dec 30 23:14:46 bitfolk postfix/smtpd[19522]: warning: non-SMTP
> command from unknown[24.39.251.34]:
> @:??>T^R^?d???&U?V<??;W?p4?Gf#???t????,???E?
> Dec 30 23:16:57 bitfolk postfix/smtpd[24688]: warning: non-SMTP
> command from unknown[72.181.54.101]: gu:?R?M????

> I can only conclude this is sent to the same domain name as is
> attacked on port 80...

> Now I am worried all this will consume up my bandwidth allowance (as
> well as eating into system resources of course), and I have run out of ideas how
> to stop this. Any suggestions are most welcome!

> Thanks,
> __
> /ony




> _______________________________________________
> users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users






_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users