VPS under heavy attack.

As subject,

this night my VPS was attacked for two hours.

My log is exploding, millions of auth fail from dovecot.

They tryed thousands of username with dozens of password for each username.

Fortunantly my server is up and running and all requests was denied.

Just to share my bad experience and to know if you noticed similar things this days.

26 Replies

Fail2ban will take care of this for you:

http://www.fail2ban.org/wiki/index.php/Main_Page

http://wiki.dovecot.org/HowTo/Fail2Ban

thanks for your reply, I have always avoided fail2ban since

it seems a "quite dead" peoject, no update, no development on it.

Do you think that it is good to install it?

Honestly it does what it needs to do… As long as there aren't security holes, it's doing the job. Why fix something that isn't broken. :)

Fail2ban works well, and I'd recommend it… at least until an alternative comes along

@bezerker:

Honestly it does what it needs to do… As long as there aren't security holes, it's doing the job. Why fix something that isn't broken. :)

It's funny that you should say that. The last update to it in Debian closes a remote DoS security hole in it.

I run it anyway, it's good for what it's intended to do.

@Ævar Arnfjörð Bjarmason:

@bezerker:

Honestly it does what it needs to do… As long as there aren't security holes, it's doing the job. Why fix something that isn't broken. :)

It's funny that you should say that. The last update to it in Debian closes a remote DoS security hole in it.

I run it anyway, it's good for what it's intended to do.

This is what I mean…

Ok I will use it.

I configured it ok for SSH.

but now I want to configure it also for phpmyadmin and dovecot.

I cant find the correct regexp/filter that catch problem on CentOS 5.5…

The link posted initially doesn't work for my dovecot configuration (dovecot 1.0.7)…

I can't find anything working also for phpmyadmin…

First of all, don't panic. Millions of failed auth tries isn't a big deal, it just costs you a tiny bit of bandwith (probably not more than ~100MB in all), and it's very unlikely that they'll compromise the system if you have sane password policies in the first place.

@Ævar Arnfjörð Bjarmason:

First of all, don't panic. Millions of failed auth tries isn't a big deal, it just costs you a tiny bit of bandwith (probably not more than ~100MB in all), and it's very unlikely that they'll compromise the system if you have sane password policies in the first place.

Ok ok, my system is up and running no problem and no panic but I don't want to get another attack and reply on every attack.

fail2ban seems to be a reasonable choice.

In the meantime I solved for SSH and dovecot with correct regexp,

now I need to find something to protect phpmyadmin from login repeated login attemp…

thanks for your help :)

How can I create a regexp to ban IP from this sslaccesslog

IP_ADDRESS - invalidusername [19/Jul/2010:18:28:55 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 885

I have just configured fail2ban for:

dovecot

postfix

ssh

apache

php injection

squirrelmail

now I don't understand how to generate a correct reg exp for the phpmyadmin invalid login

Maybe CAREFULLY edit phpmyadmin's code to issue an error_log('PMA: Login refused!') call where appropriate, and tell fail2ban to look for that string in your webserver's error log*?

  • You DO have displayerrors = Off and logerrors = On in php.ini, right?

@rsk:

Maybe CAREFULLY edit phpmyadmin's code to issue an error_log('PMA: Login refused!') call where appropriate, and tell fail2ban to look for that string in your webserver's error log*?

  • You DO have displayerrors = Off and logerrors = On in php.ini, right?

All is ok, phpmyadmin launch access denied on wrong user/pass but I need to configure fail2ban to ban that IPs.

phpmyadmin puts this string on sslaccesslog

when someone enter a wrong combination of user/pass

IP_ADDRESS - invalidusername [19/Jul/2010:18:28:55 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 885

but actually I haven't found a regexp for fail2ban that catch this string and ban the IP.

can't understand why this regexp doesn't work:

/ -.*"GET \/phpmyadmin\/ HTTP\/1.1" 401 885/

Have you read fail2ban's documentation (and the stuff that came with your OS). What part about the docs that say how to add new regex matching rules don't you understand?

It's been a while but I found it easy to tweak them when I needed to.

@Ævar Arnfjörð Bjarmason:

Have you read fail2ban's documentation (and the stuff that came with your OS). What part about the docs that say how to add new regex matching rules don't you understand?

It's been a while but I found it easy to tweak them when I needed to.

same here, easy for other than this.

Can't understand why the regexp I posted don't catch that lines.

@sblantipodi:

@Ævar Arnfjörð Bjarmason:

Have you read fail2ban's documentation (and the stuff that came with your OS). What part about the docs that say how to add new regex matching rules don't you understand?

It's been a while but I found it easy to tweak them when I needed to.

same here, easy for other than this.

Can't understand why the regexp I posted don't catch that lines.

I'm also trying with

fail2ban-regex '1.2.3.4 - invalidusername [19/Jul/2010:18:28:55 +0200] "GET /phpmyadmin/ HTTP/1.1" 401 885' ' -."GET \/phpmyadmin\/ HTTP." 401 885'

this commands returna the correct matching, but it doesn't ban IP address who makes incorrect login o_O

ok that regexp was good.

failregex = -."GET \/phpmyadmin\/ HTTP." 401 885

the problem is that I got a wrong path in the jail.conf o_O

is it possible to specify more than one path in jail.conf without repeatig the same code two times?

something good for a path like this

/var/log/httpd/*access_log

/var/log/httpd/site1/*access_log

/var/log/httpd/site2/*access_log

this doesn't work good

/var/log/httpd//access_log

for the /var/log/httpd/*access_log file but only for

/var/log/httpd/site1/*access_log

/var/log/httpd/site2/*access_log

I solved, in case it will help some lazy peple here the jail.conf settings:

[pma]

enabled = true
filter = pma
action =  iptables-multiport[name=apache, port=http]
logpath = /yourpath/*access_log

[pma_ssl]

enabled = true
filter = pma
action =  iptables-multiport[name=apache, port=https]
logpath = /yourpath/*access_log

and this for pma.conf filter

[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<host>" can
#          be used for standard IP/hostname matching.
# Values:  TEXT
#
failregex = <host>-.*"GET \/phpmyadmin\/ HTTP.*" 401 (885|981)
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =</host></host> 

Reading from my graphs I can see that since I enabled fail2ban

my average CPU increased of a 0.50%…

Have you noticed the same?

PS (My log isn't so big because I rotate it everyday after backup them)…

Using things that will use more CPU will tend to cause your system to use more CPU.

@hoopycat:

Using things that will use more CPU will tend to cause your system to use more CPU.

0.50% had seemed quite a big increase for a service like that,

ok no problem, it works good…

thanks.

I only use it for dovecot and the amount of cpu time used is minimal.

Use 'top' then shift-t (to sort by cpu time) to see the usage picture for your server.

@sleddog:

I only use it for dovecot and the amount of cpu time used is minimal.

Use 'top' then shift-t (to sort by cpu time) to see the usage picture for your server.

yes with the configuration I setted:

apache

php injection

dovecot

ssh

phpmyadmin

squirrelmail

it eats a lot of cpu, I don't like to waste resources, specially when they are shared.

probably I need to remove some filter…

every filter adds some work for CPU,

also by using only dovecot CPU never goes in idle,

with all filters enabled (the one I mentioned previously)

it eats 0.50, with dovecot only about 0.30%…

I can see a +0.50% from dashboard in the average cpu load, 0.50% it's quite impressive…

EDIT: 0.50 isn't referred to the 0.50 I thought, I mean the output of uptime command.

0.50 is really 0.50% of 100% available of a quad core.

ok this is really reasonable, I will enable all the filter again :)

Now I also optimized the regular expressions to makes better matching and reduce cpu usage a little, it worked good on heavy load.

Benchmarking linode I noticed that with 50 connections fail2ban increased less than 0.7/10 on my quad core cpu load, ok, it's reasonable…

Thanks to all, I finished writing on this thread :)

bye.

The "load average" displayed by uptime is something completely different than "CPU load"!

@rsk:

The "load average" displayed by uptime is something completely different than "CPU load"!

ok ok, I understood it now, thanks. :)

Have you thought about not using usernames and passwords at all and using keys instead? This is what I do. I also have all ports disabled by default and only the ports I need open. Oh, and fail2ban works well too.

@tentimes:

Have you thought about not using usernames and passwords at all and using keys instead? This is what I do. I also have all ports disabled by default and only the ports I need open. Oh, and fail2ban works well too.

Do you have key only for squirrelmail, phpmyadmin, apache auth and you have disabled their ports?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct