Posts by fulltilt

  • Nginx error log empty

    - IMSCP: 1.4.6
    - Distribution: Debian 8.6
    - Proftpd
    - PHP 7 - FCGID
    - MariaDB 10.0
    - Courier
    - Roundcube
    - Pydio
    - Plugins:
    PanelRedirect 1.1.5, PMA Captcha 1.1.1, RoundCubePlugins 2.0.1, SpamAssassin 1.1.1 , LetsEncrypt 3.2.1


    I'm just testing some fail2ban rules and noted that /var/log/nginx/error.log is always empty, access log is working fine.

  • strange IMAP error logs

    - IMSCP: 1.3.16
    - Distribution: Debian 8.6
    - Proftpd
    - PHP FCGID
    - MariaDB 10.0
    - Courier
    - Roundcube
    - Pydio
    - Plugins:
    PanelRedirect 1.1.5, PMA Captcha 1.1.1, RoundCubePlugins 2.0.1, SpamAssassin 1.1.1


    I know this version is no longer supported, will be updated next weekend.
    sometimes IMAP hangs and I have to restart courrier and imap services ... any idea?

    Code
    1. Jun 16 16:40:43 host3 pop3d-ssl: rename(./new/1497623644.M794606P2025V0000000000000902I0000000000D8225D_0.host3,S=37651,./cur/1497623644.M794606P2025V0000000000000902I0000000000D8225D_0.host3,S=37651:2,) failed: No such file or directory
    2. Jun 16 16:40:43 host3 pop3d-ssl: rename(./new/1497623023.M839418P32244V0000000000000902I0000000000D82257_0.host3,S=411218,./cur/1497623023.M839418P32244V0000000000000902I0000000000D82257_0.host3,S=411218:2,) failed: No such file or directory
    3. Jun 16 16:40:43 host3 pop3d-ssl: rename(./new/1497623577.M719763P1909V0000000000000902I0000000000D8225B_0.host3,S=519253,./cur/1497623577.M719763P1909V0000000000000902I0000000000D8225B_0.host3,S=519253:2,) failed: No such file or directory
    4. Jun 16 16:40:43 host3 pop3d-ssl: rename(./new/1497623034.M33677P32253V0000000000000902I0000000000D8225A_0.host3,S=12345,./cur/1497623034.M33677P32253V0000000000000902I0000000000D8225A_0.host3,S=12345:2,) failed: No such file or directory
    5. Jun 16 16:40:43 host3 pop3d-ssl: rename(./new/1497621360.M613239P23790V0000000000000902I0000000000D82242_0.host3,S=22568,./cur/1497621360.M613239P23790V0000000000000902I0000000000D82242_0.host3,S=22568:2,) failed: No such file or directory
    6. Jun 16 16:40:43 host3 pop3d-ssl: rename(./new/1497622491.M295342P30324V0000000000000902I0000000000D82243_0.host3,S=320965,./cur/1497622491.M295342P30324V0000000000000902I0000000000D82243_0.host3,S=320965:2,) failed: No such file or directory
    7. Jun 16 17:09:51 host3 imapd: xxx@xxx.tld: INTERNAL ERROR: Keyword hashtable memory corruption

  • meta test __ADVANCE_FEE_2_NEW has dependency 'LOTTO_AGENT' with a zero score

    it seems last night's cron.daily disabled a spamassassin rule ... any idea?

  • Howto install Fail2ban from Stretch repository on Debian Jessie

    - IMSCP: 1.4.3
    - Distribution: Debian 8.6
    - Proftpd
    - PHP FCGID
    - MariaDB 10.0
    - Courier
    - Roundcube
    - Pydio
    - Plugins:
    PanelRedirect 1.1.5, PMA Captcha 1.1.1, RoundCubePlugins 2.0.1, SpamAssassin 1.1.1 , LetsEncrypt 3.2.1


    Nuxwin
    I would like to use a newer Version of Fail2ban due to improvements and Fake Googlebots filter ...
    Is it safe to use these packages w/ IMSCP - especially gamin >= 0.0.21 and systemd >= 204?


    Details:
    http://www.garasiku.web.id/web…-library-in-debian-jessie


    http://dedetoknotes.blogspot.l…lling-fail2ban-095-1.html

  • strange panel requests from fake google bots

    yeah ... 24 hours w/o apache crash / restart :D


    additional filter

  • strange panel requests from fake google bots

    @Nuxwin maybe you should move this thread to the security or OT area ...
    Currently I am using Fail2Ban and ModReqtimeout I would be thankful for further suggestions.


    It seems to be a huge international network .. since yesterday about 800 IP addresses were blocked w/ fail2ban.

    Code
    1. Fail2Ban/etc/fail2ban/filter.d/apache-nokiddies.conf[Definition]failregex = ^<HOST> .*"GET .*w00tw00t ^<HOST> .*"GET .*admin.* 403 ^<HOST> .*"GET .*admin.* 404 ^<HOST> .*"GET .*install.* 404 ^<HOST> .*"GET .*dbadmin.* 404 ^<HOST> .*"GET .*myadmin.* 404 ^<HOST> .*"GET .*MyAdmin.* 404 ^<HOST> .*"GET .*mysql.* 404 ^<HOST> .*"GET .*websql.* 404 ^<HOST> .*"GET \/pma\/.* 404 ^<HOST> .*"GET .*wp-content.* 404 ^<HOST> .*"GET .*wp-login.* 404 ^<HOST> .*"GET .*typo3.* 404 ^<HOST> .*"HEAD .*manager.* 404 ^<HOST> .*"HEAD .*blackcat.* 404 ^<HOST> .*"HEAD .*sprawdza.php.* 404 ^<HOST> .*"GET .*webdav.* 404 ^<HOST> .*"GET .*wp-admin.* 404 ^<HOST> .*"GET .*manager.* 302 ^<HOST> .*"GET .*setup-config.php.* 404ignoreregex =################/etc/fail2ban/jail.local[apache-nokiddies]enabled = trueport = http,httpsfilter = apache-nokiddieslogpath = /var/log/apache2/*/access.logmaxretry = 1bantime = 2592000##################ModReqtimeout/etc/apache2/mods-available/reqtimeout.conf RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500


    ## edit ##
    do not use the sample filter from above ...
    you need to adjust the regex according to your logs f.ex.

    Code
    1. ^<HOST> .*"GET \/bitrix\/admin\/index.php.* 400
    2. ^<HOST> .*"GET \/admin\/login.php HTTP\/1.1 400

    Server version: Apache/2.4.10 (Debian)
    http://httpd.apache.org/security/vulnerabilities_24.html

  • strange panel requests from fake google bots

    - IMSCP: 1.4.3
    - Distribution: Debian 8.6
    - Proftpd
    - PHP FCGID
    - MariaDB 10.0
    - Courier
    - Roundcube
    - Pydio
    - Plugins:
    PanelRedirect 1.1.5, PMA Captcha 1.1.1, RoundCubePlugins 2.0.1, SpamAssassin 1.1.1 , LetsEncrypt 3.2.0


    I see many of these requests in my panel access.log


    Code
    1. 188.165.203.182 - - [27/May/2017:15:45:18 +0200] "GET /wp-admin/setup-config.php?step=1 HTTP/1.1" 404 724 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    2. 178.18.90.86 - - [27/May/2017:15:43:05 +0200] "GET /blog/wp-admin/setup-config.php?step=1 HTTP/1.1" 302 250 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    3. 82.217.114.19 - - [27/May/2017:15:41:13 +0200] "GET /manager/assets/modext/core/modx.js HTTP/1.1" 302 247 "-" "Mozilla/5.0 (Windows NT 6.2; rv:46.0) Gecko/20100101 Firefox/46.0"
    4. 94.23.35.86 - - [27/May/2017:15:40:27 +0200] "GET /new/wp-admin/setup-config.php?step=1 HTTP/1.1" 404 724 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    5. 80.91.50.132 - - [27/May/2017:16:02:31 +0200] "GET /wp-admin/setup-config.php?step=1 HTTP/1.1" 302 245 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    It seems to be a slowloris attack which could also explain my apache timeouts ...

  • Failed to load plugin rcguard

    - IMSCP: 1.4.3
    - Distribution: Debian 8.6
    - Proftpd
    - PHP FCGID
    - MariaDB 10.0
    - Courier
    - Roundcube
    - Pydio
    - Plugins:
    PanelRedirect 1.1.5, PMA Captcha 1.1.1, RoundCubePlugins 2.0.1, SpamAssassin 1.1.1 , LetsEncrypt 3.0.0


    I see many failed to load rcguard errors, I have disabled the rcguard for now.

    Code
    1. /var/www/imscp/gui/public/tools/webmail/logs/errors
    4. [16-May-2017 10:42:55 +0200]: PHP Error: Failed to load plugin file /var/www/imscp/gui/public/tools/webmail/plugins/rcguard/rcguard.php in /var/www/imscp/gui/public/tools/webmail/program/lib/Roundcube/rcube_plugin_api.php on line 173 (POST /webmail/?_task=mail&_action=refresh)

  • VirtualFileSystem: Could not list directory - is back

    - IMSCP: 1.4.3
    - Distribution: Debian 8.6
    - Proftpd
    - PHP FCGID
    - MariaDB 10.0
    - Courier
    - Roundcube
    - Pydio
    - Plugins:
    PanelRedirect 1.1.5, PMA Captcha 1.1.1, RoundCubePlugins 2.0.1, SpamAssassin 1.1.1 , LetsEncrypt 3.0.0



    updated from 1.3.16 to 1.4.3
    I get a "Could not list directory" message when I try to select a folder



    ### edit ###
    It only appears when TLS is disabled in Proftpd
    I set it disabled for testing because of the sluggish connection with TLS enabled