Find the answer to your Linux question:
Results 1 to 8 of 8
Hi all, Our server may be under attack. Our host isn't very helpful so I'm trying to figure out if this is really an attack. Every night aroun 9 pm ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2008
    Posts
    5

    DDoS attack?


    Hi all,

    Our server may be under attack. Our host isn't very helpful so I'm trying to figure out if this is really an attack.

    Every night aroun 9 pm our site performance drops below freezing temp. Can't even get my mail anymore. In the secure log I can see (the next day when I'm able to log in again) stuff like this:

    Oct 29 20:32:44 flex223 sshd[25991]: Invalid user duccio from ::ffff:203.251.115.31
    Oct 29 19:32:44 flex223 sshd[25996]: input_userauth_request: invalid user duccio
    Oct 29 20:32:47 flex223 sshd[25991]: Failed password for invalid user duccio from ::ffff:203.251.115.31 port 49943 ssh2
    Oct 29 19:32:47 flex223 sshd[25996]: Received disconnect from ::ffff:203.251.115.31: 11: Bye Bye
    Oct 29 20:35:22 flex223 xinetd[14259]: START: smtp pid=5949 from=190.186.82.176
    Oct 29 20:35:40 flex223 xinetd[14259]: START: smtp pid=7607 from=85.171.56.115
    Oct 29 20:35:46 flex223 xinetd[14259]: START: smtp pid=7846 from=189.69.20.34
    Oct 29 20:36:24 flex223 sshd[11676]: Invalid user oubiwann from ::ffff:203.251.115.31
    Oct 29 19:36:24 flex223 sshd[11786]: input_userauth_request: invalid user oubiwann
    Oct 29 20:36:36 flex223 sshd[11676]: Failed password for invalid user oubiwann from ::ffff:203.251.115.31 port 54585 ssh2
    Oct 29 19:36:36 flex223 sshd[11786]: Connection closed by ::ffff:203.251.115.31
    Oct 29 20:36:42 flex223 xinetd[14259]: START: smtp pid=13447 from=80.120.75.26
    Oct 29 20:36:42 flex223 xinetd[14259]: START: smtp pid=13451 from=80.120.75.26
    Oct 29 20:37:31 flex223 xinetd[14259]: START: smtp pid=17503 from=84.61.20.75
    Oct 29 20:37:46 flex223 xinetd[14259]: START: smtp pid=18092 from=217.97.202.1
    Oct 29 20:37:46 flex223 xinetd[14259]: START: smtp pid=18093 from=85.182.60.21
    Oct 29 20:39:54 flex223 xinetd[14259]: START: smtp pid=26230 from=93.130.16.158
    Oct 29 20:45:27 flex223 xinetd[14259]: START: smtp pid=18047 from=92.53.39.176
    Oct 29 20:48:35 flex223 xinetd[14259]: START: smtp pid=31889 from=78.99.59.68
    Oct 29 20:48:48 flex223 xinetd[14259]: START: smtp pid=32371 from=213.36.213.222
    Oct 29 20:50:38 flex223 xinetd[14259]: START: smtp pid=7753 from=200.73.103.232
    Oct 29 20:50:51 flex223 xinetd[14259]: START: smtp pid=7977 from=87.111.94.177



    1. Does this mean that someone's trying to log in via shell? And someone trying to use our smtp server?

    2. How do they choose a target site?

    3. How do we cope with all this?

    I've been thinking about using two domains for our site. The first to display our home page, seo optimized etc, the second residing on a different server where users actually log on and use the site. The "logon" button on the first server redirects the user to the second server. This assuming attackers only target sites they can find via links on the web. If we prevent any link to our 2nd server, would we prevent attacks?!

    Just some thoughts from me without having any knowledge of web security....

    Any help is greatly appreciated since we're losing customers.

    Best regards,
    Giordano

  2. #2
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    Hi,

    203.251.115.31 port 49943 ssh2 this means that some one is
    trying to login via ssh..

    My suggestion is going for an firewall use (CSF or APF) that will block the
    hackers ip in 3 attempts... and secure your /tmp apply noexec on fstab
    so that no one runs scripts form /tmp

    Few more thongs to remember use ssh keys rather than passwords
    disable direct root login ....

    regarding SMTP you can close the opnrelay or use authentication for that..
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  3. #3
    Just Joined!
    Join Date
    Oct 2008
    Posts
    5
    Thanks for your reply David.

    I have set the firewall to drop all connections for ftp and ssh except those from our own machines. Guess that should take the pressure of our server?!

    I will look into your other suggestions.

    But those smpt entries in the secure log, what are they doing??!??!
    Am I right to assume that an entry appears in the log for each time someone sends mail to our server and each time someone sends a mail from our server? If so, then I have no idea who these folks in the log are..

    Regards,
    Giordano

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    Could you please post the maillog for the ips that has been listed in the
    secure log... so that I can have a look on that
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  6. #5
    Just Joined!
    Join Date
    Oct 2008
    Posts
    5
    The "/var/log/maillog" file is empty, I'm afraid...

    And by now I also know that the firewall settings did not make a difference. Performance dropped again, no sign of ssh login attempts in the log though, obviously.

    In the plesk/virtuozzo panel at resources I see that the Load Average is as high as 6 at times, which I understand to mean that the cpu is working overtime (1=100% ?!?). But when I check the processlist and add up the cpu percentages there, I don't get 100% at all. Don't get this! Is my interpretation of these figures correct? Could it be that some other vps on the same server is eating away the resources on the server?

    Any suggestions?

  7. #6
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170

    Wink

    In plesk sendmail never runs, qmail runs so it is waste checking the logs in
    /var/log/maillog/you will get only the pop3logs
    so check the logs in
    /usr/local/psa/var/log/maillog
    you will get the logs

    first let me clear you some thing you are not working on a physical server it is an VPS
    ok ...there is no real processor and real hdd all are shared from the main node ...
    please use ps -aufx and paste the result.......
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  8. #7
    Just Joined!
    Join Date
    Oct 2008
    Posts
    5
    Yes you're right, it's a VPS, shared resources... I do wonder sometimes how to figure out if other accounts aren't sucking resources up. Is there any way to see that?

    Here's the output of the ps:

    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    root 1 0.0 0.0 1700 592 ? Ss Oct27 0:00 init [3]
    root 14178 0.0 0.0 1608 544 ? Ss Oct27 0:06 syslogd -m 0
    named 14208 0.0 0.1 36420 2848 ? Ssl Oct27 0:00 /usr/sbin/named -u named -n1 -c /etc/named.co
    root 14228 0.0 0.0 4088 1140 ? Ss Oct27 0:05 /usr/sbin/sshd
    root 9629 0.0 0.1 8728 2568 ? Ss 17:03 0:00 \_ sshd: root@pts/0
    root 10088 0.0 0.0 2232 1332 pts/0 Ss 17:03 0:00 \_ -bash
    root 14095 0.0 0.0 2384 760 pts/0 R+ 17:57 0:00 \_ ps aufx
    root 14302 0.0 0.0 2228 1144 ? S Oct27 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/l
    mysql 15436 1.3 5.8 429332 122892 ? Sl Oct27 170:49 \_ /usr/libexec/mysqld --basedir=/usr --data
    root 17454 0.0 1.0 26520 22348 ? Ss Oct27 0:00 /usr/bin/spamd --username=popuser --daemonize
    popuser 17555 0.0 1.0 26520 21044 ? S Oct27 0:00 \_ spamd child
    root 17777 0.0 0.3 41052 7796 ? Ss Oct27 0:00 /usr/local/psa/admin/bin/httpsd
    psaadm 18009 0.0 0.8 45192 18016 ? S 17:31 0:00 \_ /usr/local/psa/admin/bin/httpsd
    psaadm 20012 0.0 0.8 45080 17280 ? S 17:32 0:00 \_ /usr/local/psa/admin/bin/httpsd
    psaadm 20137 0.0 0.5 44864 11864 ? S 17:32 0:00 \_ /usr/local/psa/admin/bin/httpsd
    root 17883 0.0 0.0 2492 932 ? Ss Oct27 0:00 crond
    root 17902 0.0 0.0 4132 688 ? Ss Oct27 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a
    root 11269 0.0 0.8 34808 17960 ? Ss Oct31 0:57 /usr/sbin/httpd
    root 29749 0.0 0.3 23004 7528 ? S Nov02 0:00 \_ /usr/sbin/httpd
    apache 15857 0.9 0.6 35728 14448 ? S 17:30 0:14 \_ /usr/sbin/httpd
    apache 7369 1.0 0.6 35696 14408 ? S 17:40 0:10 \_ /usr/sbin/httpd
    apache 7372 1.1 0.6 35732 14416 ? S 17:40 0:11 \_ /usr/sbin/httpd
    apache 7374 1.0 0.7 35948 14684 ? S 17:40 0:10 \_ /usr/sbin/httpd
    apache 7386 1.0 0.6 35676 14400 ? S 17:40 0:10 \_ /usr/sbin/httpd
    root 15981 0.0 0.0 2156 844 ? Ss Nov01 0:02 xinetd -stayalive -pidfile /var/run/xinetd.pi
    qmaild 13918 0.0 0.0 3404 824 ? Ss 17:57 0:00 \_ /var/qmail/bin/qmail-smtpd /var/qmail/bin
    root 14014 0.0 0.0 1988 576 ? S 17:57 0:00 \_ plugins/chkrcptto
    qmails 16032 0.0 0.0 1588 468 ? S Nov01 0:22 qmail-send
    qmaill 16034 0.0 0.0 1548 440 ? S Nov01 0:01 \_ splogger qmail
    root 16035 0.0 0.0 1580 360 ? S Nov01 0:00 \_ qmail-lspawn | /usr/bin/deliverquota ./Ma
    qmailr 16037 0.0 0.0 1708 580 ? S Nov01 0:00 \_ qmail-rspawn
    qmailq 16038 0.0 0.0 1540 328 ? S Nov01 0:00 \_ qmail-clean

    Hope this makes sense to you...

  9. #8
    Just Joined!
    Join Date
    Oct 2008
    Posts
    5
    And these are some lines from the maillog file. A few ip's that I also found in the secure log:

    Nov 5 18:10:48 flex223 relaylock: /var/qmail/bin/relaylock: mail from 190.40.70.247:27059 (client-190.40.70.247.speedy.net.pe)
    Nov 5 18:10:48 flex223 relaylock: /var/qmail/bin/relaylock: mail from 190.40.70.247:27065 (client-190.40.70.247.speedy.net.pe)
    Nov 5 18:10:56 flex223 relaylock: /var/qmail/bin/relaylock: mail from 89.186.121.9:51376 (not defined)
    Nov 5 18:13:31 flex223 relaylock: /var/qmail/bin/relaylock: mail from 189.35.108.34:61871 (bd236c22.virtua.com.br)
    Nov 5 18:13:32 flex223 relaylock: /var/qmail/bin/relaylock: mail from 80.25.4.166:55746 (166.red-80-25-4.staticip.rima-tde.net)


    What does the relaylock mean? Is someone trying to relay mail through our mail server?

    Furthermore: on the nights that performance drops I see that Plesk/Virtuozzo reports privvmpages to be in the red zone. Does this mean the processes take up too much memory? Our VPS has 1.3GB of memory. Would you guess that to be enough for a site that has appr. 680.000 pages views/month? Any metrics available as to what server size one needs?!

    Regards

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •