VPS under heavy attack.
this night my VPS was attacked for two hours.
My log is exploding, millions of auth fail from dovecot.
They tryed thousands of username with dozens of password for each username.
Fortunantly my server is up and running and all requests was denied.
Just to share my bad experience and to know if you noticed similar things this days.
26 Replies
it seems a "quite dead" peoject, no update, no development on it.
Do you think that it is good to install it?
Fail2ban works well, and I'd recommend it… at least until an alternative comes along
@bezerker:
Honestly it does what it needs to do… As long as there aren't security holes, it's doing the job. Why fix something that isn't broken. :)
It's funny that you should say that. The last update to it in Debian closes a remote DoS security hole in it.
I run it anyway, it's good for what it's intended to do.
@Ævar Arnfjörð Bjarmason:
@bezerker:Honestly it does what it needs to do… As long as there aren't security holes, it's doing the job. Why fix something that isn't broken.
:) It's funny that you should say that. The last update to it in Debian closes a remote DoS security hole in it.
I run it anyway, it's good for what it's intended to do.
This is what I mean…
Ok I will use it.
I configured it ok for SSH.
but now I want to configure it also for phpmyadmin and dovecot.
I cant find the correct regexp/filter that catch problem on CentOS 5.5…
The link posted initially doesn't work for my dovecot configuration (dovecot 1.0.7)…
I can't find anything working also for phpmyadmin…
@Ævar Arnfjörð Bjarmason:
First of all, don't panic. Millions of failed auth tries isn't a big deal, it just costs you a tiny bit of bandwith (probably not more than ~100MB in all), and it's very unlikely that they'll compromise the system if you have sane password policies in the first place.
Ok ok, my system is up and running no problem and no panic but I don't want to get another attack and reply on every attack.
fail2ban seems to be a reasonable choice.
In the meantime I solved for SSH and dovecot with correct regexp,
now I need to find something to protect phpmyadmin from login repeated login attemp…
thanks for your help
IP_ADDRESS - invalidusername [19/Jul/2010:18:28:55 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 885
dovecot
postfix
ssh
apache
php injection
squirrelmail
now I don't understand how to generate a correct reg exp for the phpmyadmin invalid login
- You DO have displayerrors = Off and logerrors = On in php.ini, right?
@rsk:
Maybe CAREFULLY edit phpmyadmin's code to issue an error_log('PMA: Login refused!') call where appropriate, and tell fail2ban to look for that string in your webserver's error log*?
- You DO have displayerrors = Off and logerrors = On in php.ini, right?
All is ok, phpmyadmin launch access denied on wrong user/pass but I need to configure fail2ban to ban that IPs.
phpmyadmin puts this string on sslaccesslog
when someone enter a wrong combination of user/pass
IP_ADDRESS - invalidusername [19/Jul/2010:18:28:55 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 885
but actually I haven't found a regexp for fail2ban that catch this string and ban the IP.
can't understand why this regexp doesn't work:
/
It's been a while but I found it easy to tweak them when I needed to.
@Ævar Arnfjörð Bjarmason:
Have you read fail2ban's documentation (and the stuff that came with your OS). What part about the docs that say how to add new regex matching rules don't you understand?
It's been a while but I found it easy to tweak them when I needed to.
same here, easy for other than this.
Can't understand why the regexp I posted don't catch that lines.
@sblantipodi:
@Ævar Arnfjörð Bjarmason:Have you read fail2ban's documentation (and the stuff that came with your OS). What part about the docs that say how to add new regex matching rules don't you understand?
It's been a while but I found it easy to tweak them when I needed to.
same here, easy for other than this.
Can't understand why the regexp I posted don't catch that lines.
I'm also trying with
fail2ban-regex '1.2.3.4 - invalidusername [19/Jul/2010:18:28:55 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 885' '
this commands returna the correct matching, but it doesn't ban IP address who makes incorrect login o_O
failregex =
the problem is that I got a wrong path in the jail.conf o_O
is it possible to specify more than one path in jail.conf without repeatig the same code two times?
something good for a path like this
/var/log/httpd/*access_log
/var/log/httpd/site1/*access_log
/var/log/httpd/site2/*access_log
this doesn't work good
/var/log/httpd//access_log
for the /var/log/httpd/*access_log file but only for
/var/log/httpd/site1/*access_log
/var/log/httpd/site2/*access_log
[pma]
enabled = true
filter = pma
action = iptables-multiport[name=apache, port=http]
logpath = /yourpath/*access_log
[pma_ssl]
enabled = true
filter = pma
action = iptables-multiport[name=apache, port=https]
logpath = /yourpath/*access_log
and this for pma.conf filter
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<host>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
failregex = <host>-.*"GET \/phpmyadmin\/ HTTP.*" 401 (885|981)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =</host></host>
my average CPU increased of a 0.50%…
Have you noticed the same?
PS (My log isn't so big because I rotate it everyday after backup them)…
@hoopycat:
Using things that will use more CPU will tend to cause your system to use more CPU.
0.50% had seemed quite a big increase for a service like that,
ok no problem, it works good…
thanks.
Use 'top' then shift-t (to sort by cpu time) to see the usage picture for your server.
@sleddog:
I only use it for dovecot and the amount of cpu time used is minimal.
Use 'top' then shift-t (to sort by cpu time) to see the usage picture for your server.
yes with the configuration I setted:
apache
php injection
dovecot
ssh
phpmyadmin
squirrelmail
it eats a lot of cpu, I don't like to waste resources, specially when they are shared.
probably I need to remove some filter…
also by using only dovecot CPU never goes in idle,
with all filters enabled (the one I mentioned previously)
it eats 0.50, with dovecot only about 0.30%…
I can see a +0.50% from dashboard in the average cpu load, 0.50% it's quite impressive…
EDIT: 0.50 isn't referred to the 0.50 I thought, I mean the output of uptime command.
0.50 is really 0.50% of 100% available of a quad core.
ok this is really reasonable, I will enable all the filter again
Now I also optimized the regular expressions to makes better matching and reduce cpu usage a little, it worked good on heavy load.
Benchmarking linode I noticed that with 50 connections fail2ban increased less than 0.7/10 on my quad core cpu load, ok, it's reasonable…
Thanks to all, I finished writing on this thread
bye.
@rsk:
The "load average" displayed by uptime is something completely different than "CPU load"!
ok ok, I understood it now, thanks.
@tentimes:
Have you thought about not using usernames and passwords at all and using keys instead? This is what I do. I also have all ports disabled by default and only the ports I need open. Oh, and fail2ban works well too.
Do you have key only for squirrelmail, phpmyadmin, apache auth and you have disabled their ports?