Posts by scieri

  • Web Server Abuse Detection

    Hello Dev Team,


    I've encountered several web server security issues/tries along the way, most of them from script kiddies, like unwanted penetration scanning or just fake requests to nonexistent resources, causing logging of lots of 400-417, 500-505 messages, which translates into waste of resources and bandwidth. I've searched for a solution using fail2ban without success.


    I've found the solution into the following Perl script(https://calomel.org/web_server_abuse_detection.html), which I've tested on my I-MSCP server successfully. Apart from the script provided by the Calomel team, I've spent some time creating also an easy implementation for Debian, for now in the form of an daemon for simple start or stop of the script.
    I was wondering if the Dev Team and the users of I-MSCP will find this useful for their deployment in securing their servers, as I can find a solution in implementing the daemon and the script with I-MSCP: integrated, as a plugin or module/extension? ?(

  • Undelivered Mail Returned to Sender

    Quote from Bulli

    Are you sure? Have you check the logfiles?

    Thank you for the responses, yes I've checked logs, no sign of sending emails from my server. From messages headers I can see that the mailer is PHP Mailer(so it must be an some sort of automated script) also Message-ID containing different .ru/.de domains. So basically I think that this is an bot attack.
    All I did was to remove the catch all, and this helped me not to receive in an inbox the trash emails, and hopping that in the future the rejected emails will make attackers to quit.

  • Undelivered Mail Returned to Sender

    Quote from Bulli

    Is there a php script which send mails from your server? how many mails are in mailqueue? Check your logs (apache access logs).

    The emails are not sent from my server, they are fake and have return address or from field set as an [email protected], which makes that the bounced emails to return to my domain(I have an catch all set up).


    The thing is that this server uses DDNS so I can't use SPF(or at least is not working). SPF is set with H.E.

  • Undelivered Mail Returned to Sender

    Hello to all,


    I have an server with I-MSCP installed(Postfix + Dovecot) and in the past couple of days for one of my domains I receive a couple of bounced emails as Undelivered Mail Returned to Sender(random from, reply to, return-path, etc.. set as [email protected]) emails that are bounced from Gmail, or different servers(sent to strange email addresses).
    Checking the headers or the email source doesn't make more sense, a couple of emails bounced from servers in Germany, Gmail, Yahoo.


    The question is how you guys protect against spoofing, the restrictions I've set into Postfix doesn't seem to be working against this kind of useless attack.

  • Ftp small login issue

    Hello all,


    I have an small issue trying to Login to ftp on my I-mscp server. The issue is that I didn't saved all my passwords in my WinSCP after an OS upgrade and I don't really know what was the user I was logging into my server. The access was set before installing I-MSCP.
    I have I-mscp admin, webmin and ssh access. As I remember I was using root account to login to ftp to access /, but it's not working(even allowing root login in proftpd). I can login using my websites ftp accounts but these are restricted only to their document root not /.
    So the question is what username/account can be used to access / on my server ftp, besides the normal ftp account set for reseller ?(

  • Domain web traffic

    Found out what was the issue: Chinese and Ukrainian bots trying POST Wordpress login page, even if the login page was blocked only for certain IP's, and I didn't had any fail2ban jail set for this kind of attack.


    Any ideas about this another kind of attack?

    Code
    1. Apr 21 02:51:24 domain.com postfix/smtpd[15597]: sql plugin Parse the username daryl
    2. Apr 21 02:51:24 domain.com postfix/smtpd[15597]: sql plugin try and connect to a host
    3. Apr 21 02:51:24 domain.com postfix/smtpd[15597]: sql plugin trying to open db 'imscp' on host '127.0.0.1:3306'
    4. Apr 21 02:51:25 domain.com postfix/smtpd[15597]: sql plugin Parse the username daryouch
    5. Apr 21 02:51:25 domain.com postfix/smtpd[15597]: sql plugin try and connect to a host
    6. Apr 21 02:51:25 domain.com postfix/smtpd[15597]: sql plugin trying to open db 'imscp' on host '127.0.0.1:3306'
    7. Apr 21 02:51:25 domain.com postfix/smtpd[15597]: begin transaction
    8. Apr 21 02:51:25 domain.com postfix/smtpd[15597]: sql plugin create statement from userPassword daryouch domain.com
    9. Apr 21 02:51:25 domain.com postfix/smtpd[15597]: sql plugin doing query SELECT mail_pass FROM mail_users WHERE mail_addr = '[email protected] ' AND status = 'ok';
    10. Apr 21 02:51:25 domain.com postfix/smtpd[15597]: sql plugin: no result found

  • Domain web traffic

    Hello to all,


    I've found an curiosity about one of my domains that I host on an I-mscp 1.2.2 server.
    In statistics for this particular domain on one day it had an massive web traffic value, compared to previous days, the number of the visitors being lower than previous days.
    From domain's logs I don't see nothing out of the ordinary.


    Is there a way to find out how the web traffic is calculated(what represents), so I can figure out where is the bandwidth eater?