Posts by Mario

  • How to mitigate port scan attacks

    Hello, after resolving certain DDoS attacks on DNS services, I have
    seen that are trying to attack my server type scan techniques, have met
    with the following:



    Install the "portsentry" tool:
    # apt-get or aptitude install portsentry


    Modify the configuration file:
    # Nano /etc/portsentry/portsentry.conf



    In the section "Ignore Options", uncomment the following:


    # BLOCK_UDP = "0"
    # BLOCK_TCP = "0"


    by


    BLOCK_UDP = "1"
    BLOCK_TCP = "1"


    Save the file and walked out.


    Restart the service:
    # /etc/init.d/portsentry Restart



    Check the log:
    #cat / var / log / syslog | grep attack


    3:18:38 ns1 portsentry October 4 [3019]: attackalert: Connect from host: 185.94.111.1/185.94.111.1 to UDP port: 161
    3:18:38 ns1 portsentry October 4 [3019]: attackalert: 185.94.111.1Host has-been blocked via wrappers with string: "ALL: 185.94.111.1:DENY"
    3:18:38 ns1 portsentry October 4 [3019]: attackalert: 185.94.111.1Host has-been blocked route via dropped using command "/ sbin / routeadd -host 185.94.111.1 reject"
    5:48:03 ns1 portsentry October 4 [3019]: attackalert: Connect from host: 52.11.245.77/52.11.245.77 to UDP port: 54321
    5:48:03 ns1 portsentry October 4 [3019]: attackalert: 52.11.245.77Host has-been blocked via wrappers with string: "ALL: 52.11.245.77:DENY"
    5:48:03 ns1 portsentry October 4 [3019]: attackalert: Host has-beenblocked 52.11.245.77 dropped via route using command "/ sbin / route add-host 52.11.245.77 reject"
    9:04:19 ns1 portsentry October 4 [3015]: attackalert: Connect from host: 139.162.187.232/139.162.187.232 to TCP port 11
    9:04:19ns1 portsentry October 4 [3015]: attackalert: 139162187232 Host has-been blocked via wrappers with string: "ALL: 139162187232: DENY"


    In the file "hosts.deny", we can see the IP that were blocked.



    #cat or nano /etc/hosts.deny


    ALL: 47.197.167.26: DENY
    ALL: 168.1.128.36: DENY
    ALL: 184.73.98.190: DENY
    ALL: 168.1.128.52: DENY
    ALL: 5.39.218.246: DENY
    ALL: 216.244.87.10: DENY
    ALL: 95.215.60.214: DENY
    ALL: 45119208111: DENY
    ALL: 216.218.206.66: DENY
    ALL: 93.158.215.57: DENY
    ALL: 74.82.47.53: DENY
    ALL: 190.232.179.83: DENY
    ALL: 169.54.244.93: DENY
    ALL: 72251244205: DENY
    ALL: 207.244.96.136: DENY
    ALL: 93.174.93.100: DENY
    ALL: 89.248.168.6: DENY
    ALL: 169.54.233.118: DENY
    ALL: 71.6.146.186: DENY
    ALL: 169.54.233.121: DENY
    ALL: 69164201113: DENY
    ALL: 43241237177: DENY
    ALL: 163.172.129.15: DENY
    ALL: 198148116133: DENY
    ALL: 164.132.99.67: DENY
    ALL: 120.52.20.137: DENY
    ALL: 120.52.20.138: DENY
    ALL: 92.222.78.92: DENY
    ALL: 184.105.139.94: DENY
    ALL: 204.42.253.130: DENY
    ALL: 209.126.136.2: DENY
    ALL: 184.105.139.67: DENY
    ALL: 185.94.111.1: DENY
    ALL: 52.11.245.77: DENY
    ALL: 139162187232: DENY


    There is another tool called psad.


    Greetings, I hope will be helpful to the community. :thumbsup:


    Sorry for my English. :D

  • Howto mitigate a DNS DDOS attack using fail2ban

    Hello,


    I had a DNS DDoS attack, I write them to take action on this issue, the solution was taken from the url
    "https://debian-administration.org/article/623/Blocking_a_DNS_DDOS_using_the_fail2ban_package".


    Symptom:

    Code
    1. October 3 8:05:46 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:05:46 ns1 named [1708]: error (RCODE REFUSED unexpected) resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:05:46 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:05:48 ns1 named [1708]: error (RCODE REFUSED unexpected) resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:05:58 ns1 named [1708]: lame server resolving '238.13.130.221.in-addr.arpa' (in '13 .130.221.in-addr.arpa '?):211.103.13.101 # 53October 3 8:05:59 ns1 named [1708]: lame server resolving'238.13.130.221.in-addr.arpa' (in '13 .130.221.in-addr.arpa '?):211.138.200.69 # 53October 3 8:06:21 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:06:22 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:06:24 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:06:24 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:39 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '58 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:40 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '58 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:40 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '58 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:41 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '52 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:41 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '52 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:41 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '58 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:42 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '52 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:42 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '52 .72.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:46 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53October 3 8:08:46 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.137 # 53October 3 8:08:47 ns1 named [1708]: error (RCODE REFUSED unexpected)resolving '97 .73.52.120.in-addr.arpa / PTR / IN ': 120.52.20.138 # 53


    Will have a permission error with the file created for named, then change the file path in /tmp/security.log:


    Code
    1. logging { security_file channel { file "/tmp/security.log" versions 3 size 30m; severity dynamic; print-time yes; }; category security { security_file; };};


    Lock successful:


    Code
    1. 03-Oct-2016 13: 11: 11,467 client 74125190136 # 34346: query (cache) 'gobiernodenicaragua.gob.ni/A/IN' denied
    2. 03-Oct-2016 13: 11: 11,738 client 74.125.190.12 # 41948: query (cache) 'gobiernodenicaragua.gob.ni/A/IN' denied
    3. 03-Oct-2016 13: 11: 12,007 client 74125190133 # 53942: query (cache) 'gobiernodenicaragua.gob.ni/A/IN' denied
    4. 03-Oct-2016 13: 59: 12,298 client 198.48.92.104 # 54629: query (cache) 'satellite.cs.washington.edu/A/IN' denied
    5. 03-Oct-2016 14: 05: 50,064 client 164.132.96.66 # 57657: query (cache) 'cpsc.gov/A/IN' denied
    6. 03-Oct-2016 15: 05: 16,005 client 66.35.59.249 # 63937: query (cache) './NS/IN' denied
    7. 03-Oct-2016 15: 35: 37,197 client 95.215.60.214 # 55397: query (cache) 'defcongroups.org/ANY/IN' denied
    8. 03-Oct-2016 15: 39: 13,839 client 183.56.172.145 # 20000: query (cache) '776233637.www.baidu.com/A/IN' denied


    I hope will be of help. Sorry for my English.


    :)

  • Retorno de correo

    Hola a todos, estoy obteniendo un comportamiento extraño en el envio de correo, tanto via Webmail como de clientes de correo, parte del mensaje de error es este:


    *************************************************************************************************************************
    Reporting-MTA: dns; ns1.server1.com
    X-Postfix-Queue-ID: 7E0B02FDA0C9
    X-Postfix-Sender: rfc822; [email protected]
    Arrival-Date: Sun, 15 Feb 2015 18:36:51 -0600 (CST)

    Final-Recipient: rfc822; [email protected]
    Original-Recipient: rfc822;[email protected]


    Action: failed
    Status: 5.3.0
    Diagnostic-Code: x-unix; [_[0;31mFATAL_[0m] main: Unable to get message body
    at /var/www/imscp/engine/messenger/imscp-arpl-msgr line 59, <STDIN> line
    71. Exit code: 255
    *********************************************************************************************************************


    Esto es cuando envio un correo del mismo dominio.


    Cuando envio un correo a gmail (por ejemplo), este envia bien, y al lado del gmail, lo recibe ok,pero cuando hago un replay a este correo, recibo error de correo igual al anterior, sin embargo el servidor recibe de gmail todo ok, parte del mensaje que recibe gmail es este:


    *********************************************************************************************************
    This is the mail system at host ns1.solutsa.com.
    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.
    For further assistance, please send mail to postmaster.
    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.
    The mail system


    <[email protected]> (expanded from <[email protected]>):
    Command died with status 255:


    "/var/www/imscp/engine/messenger/imscp-arpl-msgr". Command output:
    [_[0;31mFATAL_[0m] main: Unable to get message body at
    /var/www/imscp/engine/messenger/imscp-arpl-msgr line 59, <STDIN> line 76.
    Exit code: 255


    Final-Recipient: rfc822; [email protected]
    Original-Recipient: rfc822;[email protected]


    Action: failed
    Status: 5.3.0


    Diagnostic-Code: x-unix; [_[0;31mFATAL_[0m] main: Unable to get message body
    at /var/www/imscp/engine/messenger/imscp-arpl-msgr line 59, <STDIN> line
    76. Exit code: 255


    ***************************************************************************************************************


    Esto me ocurrio despues de que actualice de la 1.2.1 a 1.2.2 estable.


    Saludos.

  • SFTP

    Para quedar un poco claro, con respecto al jail, me refiero al fail2ban o al jail con el plugin?


    Si es el de fail2ban, cambio el puerto, pero si es con respecto al plugin, todo trabaja sin problemas.


    Saludos.

  • SFTP

    No tengo problemas con conexiones FTP normales, solo como dices dar una alternativa a usar conexiones seguras con el caso de SFTP.


    Con el jail de ssh, en port, lo cambio el puerto y listo.


    Saludos.

  • SFTP

    Hola a todos, despues de investigar buscando esta activacino, les dejo lo pasos para quien desea utilizar el servicio de FTP pero de modo seguro "SFTP", a continuacion detallo:


    Antes que nada debe instalarse unos paquetes el cual es necesario para el plugins "InstantSSH" (este habilita el modo SSH y ser utilizado en el servicio de SFTP) - apt-get install o aptitude install libpam-chroot makejail busybox


    Luego nos vamos a nuestro Panel, y nos dirijimos a configuracion, administardor de plugins, estando ahi, subimos el plugins que lo podemos localizar en InstantSSH, lo instalamos y luego lo acgivamos.


    Una vez echo todo lo anterior, podemos refrescar la pantalla y vera que se agrego una opcion SSH Permissions, el cual, debemos ingresar los reseller para que puedan crear a sus clientes la opcion de utilizar SSH, nos cambiamos a reseller, y hacemos click en Customer o clientes, hacer click en la opcion SSH Permissions, agregamos los nombres de los clientes para activar el modo ssh y la cantidad de usuarios.


    Realizado todo lo anterior, nos cambiamos al cliente, click en dominios y click en SSH users, escribmos el usuario y el pass.


    En el cliente FileZilla, realizamos el siguiente cambio:
    En Administrador de sitios, escribimos el Host:eldominio.com, puerto: 22 (esto es personalizable en el sistema)
    Protocolo: SFTP-SSH File Transfer Protocol
    Logon Tpe: Normal
    Usuer: usuario_creado(sin @midominio.com)
    Password: el passwor del usuario creado


    Listo con esto pueden ingresar via secure FTP.


    Mil gracias por el foro, del cual estuve analizando soluciones.


    Saludos.

  • SFTP

    Tengo una consulta, y es como puedo habilitar o activar el modo protegido del serviciio fp, o sea, que utilice sftp, como sabran si ponene un sneefer, me captuaran el usuar y pass de la cuenta ftp, pero utilizando el modo seguro SFTP, tengo mejor proteccion.


    Es valido esta configuracion y si esto lo habilita ver post: Proftpd funktioniert nach Installation von I-MSCP 1.2.1 nicht mehr. Bitte um Hilfe. , me imagino que el archivo a modificar es /etc/proftpd/proftpd.conf?


    De ante mano mil gracias.


    IMSCP 1.2.1
    Pluging InstantSSH 3.1.x
    Cliente ftp - FileZilla


    Saludos.