Attack on my server
56 views
Skip to first unread message
Bhavin Mehta
Feb 19, 2013, 3:29:04 AM2/19/13
to vglug
Hi,
Attack on my one server i am not able to find out exactly which attack on my server. It will occupy my bandwidth before one week it will occupy 400gb in just 8 to 10 hours. bandwidth is using per sec/50mbps after implementing firewall it will restrict but still is using in 1sec/3mbps.
i have create one shell script it will monitor my network traffic if traffic is high more than 1mbps it will run vnstat command send me mail with output.
Below is my vnstat command o/p.
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 mydomain.com:36892 5.9.54.81:61654 ESTABLISHED -
udp 0 0 mydomain.com:37010 5.9.54.81:29649 ESTABLISHED -
udp 0 0 mydomain.com:49814 5.9.54.81:62219 ESTABLISHED -
udp 0 0 mydomain.com:45735 5.9.54.81:43603 ESTABLISHED -
udp 0 0 mydomain.com:38090 5.9.19.81:8688 ESTABLISHED -
udp 0 0 mydomain.com:34549 5.9.19.81:33818 ESTABLISHED -
udp 0 0 mydomain.com:34094 5.9.54.81:15492 ESTABLISHED -
udp 0 0 mydomain.com:58196 5.9.19.81:10131 ESTABLISHED -
udp 0 0 mydomain.com:51101 5.9.54.81:28962 ESTABLISHED -
udp 0 0 mydomain.com:57764 5.9.19.81:38847 ESTABLISHED -
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 mydomain.com:54904 5.9.54.81:22361 ESTABLISHED -
udp 0 0 mydomain.com:51349 5.9.19.81:24598 ESTABLISHED -
udp 0 0 mydomain.com:53477 5.9.19.81:sgi-cmsd ESTABLISHED -
udp 0 0 mydomain.com:34052 5.9.19.81:9371 ESTABLISHED -
udp 0 0 mydomain.com:59677 5.9.19.81:17233 ESTABLISHED -
udp 0 0 mydomain.com:37882 5.9.54.81:3438 ESTABLISHED 20505/apache2
udp 0 0 mydomain.com:59677 5.9.19.81:17233 ESTABLISHED -
udp 0 0 mydomain.com:59677 5.9.19.81:17233 ESTABLISHED -
tcp 0 0 mydomain.com:http 176.123.0.116:54417 TIME_WAIT -
udp 0 0 mydomain.com:34899 5.9.54.81:57915 ESTABLISHED -
udp 0 0 mydomain.com:60025 5.9.54.81:11376 ESTABLISHED -
udp 0 0 mydomain.com:52392 5.9.19.81:57912 ESTABLISHED -
udp 0 0 mydomain.com:50861 5.9.54.81:40979 ESTABLISHED -
udp 0 0 mydomain.com:59663 5.9.54.81:38357 ESTABLISHED -
udp 0 0 mydomain.com:41240 5.9.19.81:63422 ESTABLISHED -
udp 0 0 mydomain.com:42271 5.9.19.81:5471 ESTABLISHED -
udp 0 0 mydomain.com:47403 5.9.54.81:40829 ESTABLISHED -
udp 0 0 mydomain.com:44535 5.9.19.81:9421 ESTABLISHED -
udp 0 0 mydomain.com:44535 5.9.19.81:9421 ESTABLISHED -
udp 0 0 mydomain.com:53275 5.9.54.81:36327 ESTABLISHED -
udp 0 0 mydomain.com:33901 5.9.54.81:18202 ESTABLISHED -
udp 0 0 mydomain.com:39611 5.9.54.81:50330 ESTABLISHED -
udp 0 0 mydomain.com:54484 5.9.19.81:11270 ESTABLISHED -
udp 0 0 mydomain.com:60630 5.9.19.81:51172 ESTABLISHED -
udp 0 0 mydomain.com:40259 5.9.54.81:20088 ESTABLISHED -
udp 0 4480 mydomain.com:48509 5.9.19.81:33096 ESTABLISHED -
udp 0 0 mydomain.com:50077 5.9.19.81:20932 ESTABLISHED -
tcp 0 0 mydomain.com:http 176.123.0.45:50493 TIME_WAIT -
tcp 0 0 mydomain.com:http 176.123.0.45:50502 TIME_WAIT -
udp 0 0 mydomain.com:60949 5.9.19.81:10326 ESTABLISHED -
udp 0 0 mydomain.com:35401 5.9.54.81:58844 ESTABLISHED -
udp 0 0 mydomain.com:42277 5.9.54.81:18348 ESTABLISHED -
udp 0 0 mydomain.com:59221 5.9.54.81:20471 ESTABLISHED -
udp 0 0 mydomain.com:36220 5.9.54.81:23696 ESTABLISHED -
udp 0 0 mydomain.com:58332 5.9.54.81:62908 ESTABLISHED -
udp 0 13440 mydomain.com:46652 5.9.54.81:56989 ESTABLISHED -
udp 0 0 mydomain.com:47678 5.9.54.81:50759 ESTABLISHED -
udp 0 0 mydomain.com:33479 5.9.19.81:23918 ESTABLISHED -
udp 0 13440 mydomain.com:45988 5.9.19.81:50909 ESTABLISHED -
tcp 0 1441 mydomain.com:http 123.125.71.78:19758 FIN_WAIT1 22294/apache2
udp 0 0 mydomain.com:57989 5.9.19.81:43443 ESTABLISHED -
udp 0 0 mydomain.com:34967 5.9.19.81:7246 ESTABLISHED -
udp 0 0 mydomain.com:38557 5.9.54.81:1345 ESTABLISHED -
udp 0 0 mydomain.com:59615 5.9.54.81:54967 ESTABLISHED -
udp 0 0 mydomain.com:35555 5.9.54.81:33366 ESTABLISHED -
udp 0 0 mydomain.com:56594 5.9.54.81:28106 ESTABLISHED -
udp 0 0 mydomain.com:36666 5.9.54.81:51141 ESTABLISHED -
udp 0 0 mydomain.com:53649 5.9.19.81:64515 ESTABLISHED -
udp 0 0 mydomain.com:53745 5.9.19.81:25689 ESTABLISHED -
udp 0 4480 mydomain.com:45663 5.9.54.81:44916 ESTABLISHED -
udp 0 0 mydomain.com:46221 5.9.54.81:23417 ESTABLISHED -
udp 0 0 mydomain.com:37566 5.9.19.81:49000 ESTABLISHED -
udp 0 0 mydomain.com:53970 5.9.54.81:31708 ESTABLISHED -
udp 0 0 mydomain.com:47483 5.9.19.81:30439 ESTABLISHED -
udp 0 0 mydomain.com:33240 5.9.19.81:41324 ESTABLISHED -
How to resolve this issue.
--
Thanks,
Bhavin
"The fragrance of flowers spreads only in the direction of the wind. But the goodness of a person spreads in all directions."
Attack on my one server i am not able to find out exactly which attack on my server. It will occupy my bandwidth before one week it will occupy 400gb in just 8 to 10 hours. bandwidth is using per sec/50mbps after implementing firewall it will restrict but still is using in 1sec/3mbps.
i have create one shell script it will monitor my network traffic if traffic is high more than 1mbps it will run vnstat command send me mail with output.
Below is my vnstat command o/p.
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 mydomain.com:36892 5.9.54.81:61654 ESTABLISHED -
udp 0 0 mydomain.com:37010 5.9.54.81:29649 ESTABLISHED -
udp 0 0 mydomain.com:49814 5.9.54.81:62219 ESTABLISHED -
udp 0 0 mydomain.com:45735 5.9.54.81:43603 ESTABLISHED -
udp 0 0 mydomain.com:38090 5.9.19.81:8688 ESTABLISHED -
udp 0 0 mydomain.com:34549 5.9.19.81:33818 ESTABLISHED -
udp 0 0 mydomain.com:34094 5.9.54.81:15492 ESTABLISHED -
udp 0 0 mydomain.com:58196 5.9.19.81:10131 ESTABLISHED -
udp 0 0 mydomain.com:51101 5.9.54.81:28962 ESTABLISHED -
udp 0 0 mydomain.com:57764 5.9.19.81:38847 ESTABLISHED -
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 mydomain.com:54904 5.9.54.81:22361 ESTABLISHED -
udp 0 0 mydomain.com:51349 5.9.19.81:24598 ESTABLISHED -
udp 0 0 mydomain.com:53477 5.9.19.81:sgi-cmsd ESTABLISHED -
udp 0 0 mydomain.com:34052 5.9.19.81:9371 ESTABLISHED -
udp 0 0 mydomain.com:59677 5.9.19.81:17233 ESTABLISHED -
udp 0 0 mydomain.com:37882 5.9.54.81:3438 ESTABLISHED 20505/apache2
udp 0 0 mydomain.com:59677 5.9.19.81:17233 ESTABLISHED -
udp 0 0 mydomain.com:59677 5.9.19.81:17233 ESTABLISHED -
tcp 0 0 mydomain.com:http 176.123.0.116:54417 TIME_WAIT -
udp 0 0 mydomain.com:34899 5.9.54.81:57915 ESTABLISHED -
udp 0 0 mydomain.com:60025 5.9.54.81:11376 ESTABLISHED -
udp 0 0 mydomain.com:52392 5.9.19.81:57912 ESTABLISHED -
udp 0 0 mydomain.com:50861 5.9.54.81:40979 ESTABLISHED -
udp 0 0 mydomain.com:59663 5.9.54.81:38357 ESTABLISHED -
udp 0 0 mydomain.com:41240 5.9.19.81:63422 ESTABLISHED -
udp 0 0 mydomain.com:42271 5.9.19.81:5471 ESTABLISHED -
udp 0 0 mydomain.com:47403 5.9.54.81:40829 ESTABLISHED -
udp 0 0 mydomain.com:44535 5.9.19.81:9421 ESTABLISHED -
udp 0 0 mydomain.com:44535 5.9.19.81:9421 ESTABLISHED -
udp 0 0 mydomain.com:53275 5.9.54.81:36327 ESTABLISHED -
udp 0 0 mydomain.com:33901 5.9.54.81:18202 ESTABLISHED -
udp 0 0 mydomain.com:39611 5.9.54.81:50330 ESTABLISHED -
udp 0 0 mydomain.com:54484 5.9.19.81:11270 ESTABLISHED -
udp 0 0 mydomain.com:60630 5.9.19.81:51172 ESTABLISHED -
udp 0 0 mydomain.com:40259 5.9.54.81:20088 ESTABLISHED -
udp 0 4480 mydomain.com:48509 5.9.19.81:33096 ESTABLISHED -
udp 0 0 mydomain.com:50077 5.9.19.81:20932 ESTABLISHED -
tcp 0 0 mydomain.com:http 176.123.0.45:50493 TIME_WAIT -
tcp 0 0 mydomain.com:http 176.123.0.45:50502 TIME_WAIT -
udp 0 0 mydomain.com:60949 5.9.19.81:10326 ESTABLISHED -
udp 0 0 mydomain.com:35401 5.9.54.81:58844 ESTABLISHED -
udp 0 0 mydomain.com:42277 5.9.54.81:18348 ESTABLISHED -
udp 0 0 mydomain.com:59221 5.9.54.81:20471 ESTABLISHED -
udp 0 0 mydomain.com:36220 5.9.54.81:23696 ESTABLISHED -
udp 0 0 mydomain.com:58332 5.9.54.81:62908 ESTABLISHED -
udp 0 13440 mydomain.com:46652 5.9.54.81:56989 ESTABLISHED -
udp 0 0 mydomain.com:47678 5.9.54.81:50759 ESTABLISHED -
udp 0 0 mydomain.com:33479 5.9.19.81:23918 ESTABLISHED -
udp 0 13440 mydomain.com:45988 5.9.19.81:50909 ESTABLISHED -
tcp 0 1441 mydomain.com:http 123.125.71.78:19758 FIN_WAIT1 22294/apache2
udp 0 0 mydomain.com:57989 5.9.19.81:43443 ESTABLISHED -
udp 0 0 mydomain.com:34967 5.9.19.81:7246 ESTABLISHED -
udp 0 0 mydomain.com:38557 5.9.54.81:1345 ESTABLISHED -
udp 0 0 mydomain.com:59615 5.9.54.81:54967 ESTABLISHED -
udp 0 0 mydomain.com:35555 5.9.54.81:33366 ESTABLISHED -
udp 0 0 mydomain.com:56594 5.9.54.81:28106 ESTABLISHED -
udp 0 0 mydomain.com:36666 5.9.54.81:51141 ESTABLISHED -
udp 0 0 mydomain.com:53649 5.9.19.81:64515 ESTABLISHED -
udp 0 0 mydomain.com:53745 5.9.19.81:25689 ESTABLISHED -
udp 0 4480 mydomain.com:45663 5.9.54.81:44916 ESTABLISHED -
udp 0 0 mydomain.com:46221 5.9.54.81:23417 ESTABLISHED -
udp 0 0 mydomain.com:37566 5.9.19.81:49000 ESTABLISHED -
udp 0 0 mydomain.com:53970 5.9.54.81:31708 ESTABLISHED -
udp 0 0 mydomain.com:47483 5.9.19.81:30439 ESTABLISHED -
udp 0 0 mydomain.com:33240 5.9.19.81:41324 ESTABLISHED -
How to resolve this issue.
--
Thanks,
Bhavin
"The fragrance of flowers spreads only in the direction of the wind. But the goodness of a person spreads in all directions."
dhaval thakar
Feb 19, 2013, 3:33:27 AM2/19/13
to vg...@googlegroups.com
you can probably block unwanted ports on firewall for in / out connections.
Just allow required tcp / udp ports, keep rest blocked.
--
--
Please read http://www.catb.org/~esr/faqs/smart-questions.html before posting.
You received this message because you are subscribed to the "Vibrant GNU/Linux User Group".
To stop receiving emails from this group, mail to VGLUG+un...@googlegroups.com
To post to this group, send email to VG...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/VGLUG
---
You received this message because you are subscribed to the Google Groups "VGLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vglug+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Alok Thaker
Feb 19, 2013, 3:34:57 AM2/19/13
to vg...@googlegroups.com
Hi Bhavin,
Have you hardened your servers, Please install the IDS-IPS for your linux OS. Make sure there are no rootkits, you have a proper antivirus deployed along with also make sure to enabled hitcount parameter in iptables. Also install fail2ban.
Please post your firewall rules also.
Thanks & Regards,
Alok
Have you hardened your servers, Please install the IDS-IPS for your linux OS. Make sure there are no rootkits, you have a proper antivirus deployed along with also make sure to enabled hitcount parameter in iptables. Also install fail2ban.
Please post your firewall rules also.
Thanks & Regards,
Alok
On Tue, Feb 19, 2013 at 1:59 PM, Bhavin Mehta <bhavin....@gmail.com> wrote:
--
Bhavin Mehta
Feb 19, 2013, 3:45:15 AM2/19/13
to vg...@googlegroups.com
Hi,
@Dhaval
I have allowed only required port
@Alok
Below is my firewall rules
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 180.76.6.0/16 -j DROP
iptables -A INPUT -s 180.76.5.0/16 -j DROP
iptables -A INPUT -s 208.115.111.0/24 -j DROP
iptables -A INPUT -s 208.115.113.0/24 -j DROP
iptables -A INPUT -s 199.21.99.0/24 -j DROP
iptables -A INPUT -s 157.56.93.0/16 -j DROP
iptables -A INPUT -s 66.249.73.0/8 -j DROP
iptables -A INPUT -s 66.249.76.0/8 -j DROP
iptables -A INPUT -s 66.249.73.120 -j DROP
iptables -A INPUT -s 168.62.162.41 -j DROP
iptables -A INPUT -s 198.55.104.196 -j DROP
iptables -A INPUT -s 114.79.19.82 -j DROP
iptables -A INPUT -s 176.31.111.0/16 -j DROP
iptables -A INPUT -s 176.31.111.115/16 -j DROP
iptables -A INPUT -s 76.173.3.39/8 -j DROP
iptables -A INPUT -s 67.185.237.194/8 -j DROP
iptables -A INPUT -s 5.9.19.0/8 -j DROP
iptables -A INPUT -s 5.9.7.0/8 -j DROP
iptables -A INPUT -s 5.9.54.0/8 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m limit --limit 2/minute --limit-burst 2 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 80 -m limit --limit 2/minute --limit-burst 2 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 443 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 873 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 873 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 873 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 873 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 873 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 873 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 873 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 143 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 143 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 993 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 993 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 110 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 995 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 995 -j ACCEPT
iptables -A INPUT -s 72.14.188.66/32 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.1/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/16 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/8 -j DROP
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#iptables -A INPUT -f -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
#iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
#iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
@Dhaval
I have allowed only required port
@Alok
Below is my firewall rules
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 180.76.6.0/16 -j DROP
iptables -A INPUT -s 180.76.5.0/16 -j DROP
iptables -A INPUT -s 208.115.111.0/24 -j DROP
iptables -A INPUT -s 208.115.113.0/24 -j DROP
iptables -A INPUT -s 199.21.99.0/24 -j DROP
iptables -A INPUT -s 157.56.93.0/16 -j DROP
iptables -A INPUT -s 66.249.73.0/8 -j DROP
iptables -A INPUT -s 66.249.76.0/8 -j DROP
iptables -A INPUT -s 66.249.73.120 -j DROP
iptables -A INPUT -s 168.62.162.41 -j DROP
iptables -A INPUT -s 198.55.104.196 -j DROP
iptables -A INPUT -s 114.79.19.82 -j DROP
iptables -A INPUT -s 176.31.111.0/16 -j DROP
iptables -A INPUT -s 176.31.111.115/16 -j DROP
iptables -A INPUT -s 76.173.3.39/8 -j DROP
iptables -A INPUT -s 67.185.237.194/8 -j DROP
iptables -A INPUT -s 5.9.19.0/8 -j DROP
iptables -A INPUT -s 5.9.7.0/8 -j DROP
iptables -A INPUT -s 5.9.54.0/8 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m limit --limit 2/minute --limit-burst 2 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 80 -m limit --limit 2/minute --limit-burst 2 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 443 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 873 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 873 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 873 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 873 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 873 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 873 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 873 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 3306 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 143 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 143 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 993 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 993 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 110 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 995 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 995 -j ACCEPT
iptables -A INPUT -s 72.14.188.66/32 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.1/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/16 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/8 -j DROP
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#iptables -A INPUT -f -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
#iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
#iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
Bhadreshsinh Gohil
Feb 19, 2013, 7:25:37 AM2/19/13
to vg...@googlegroups.com
Scan your server using NESSUS vulnerability scanner.
Or you can use OpenVAS scanner.
Or you can use OpenVAS scanner.
And fix the vulnerability.
Bhadreshsinh Gohil
Nishith Vyas
Feb 28, 2013, 1:41:24 AM2/28/13
to vglug
Hello,
Configure "denyhosts" tool to block unwanted access from WAN segment. It is easy to use & very useful.
There is no doubt that "IPTABLES" is still THE BEST
linux_boy
Feb 28, 2013, 9:52:55 AM2/28/13
to vg...@googlegroups.com, vglug
Use csf firewall , that is the easiest way also stop certain unwanted services , Full guide is as follows just in a single script , i have used it multiple time .
ElectroMech
Mar 1, 2013, 2:23:25 AM3/1/13
to vg...@googlegroups.com
Hi,
--
--
Nilesh Vaghela
(RHCSA RHCE)
ElectroMech Corporation
Redhat Channel Partner and Training Partner
302, New York Plaza, Opp Judges Bunglow, Bodakdev, Ahmedabad
22, 1st Floor, Vardhaman Complex, Subhanpura , Baroda.
www.electromech.info
Hi it is strange that source address is your server, so some body injected a code to your web server application.
Remove your existing code with newer one and check if possible.
Your server is creating connection to remote.
How to resolve this issue.
--
Thanks,
Bhavin
Thanks and Regards.
--
Nilesh Vaghela
(RHCSA RHCE)
ElectroMech Corporation
Redhat Channel Partner and Training Partner
302, New York Plaza, Opp Judges Bunglow, Bodakdev, Ahmedabad
22, 1st Floor, Vardhaman Complex, Subhanpura , Baroda.
www.electromech.info
Bhavin Mehta
Mar 1, 2013, 5:03:44 AM3/1/13
to vg...@googlegroups.com
Hi,
Thank you All for giving me good suggestion.
Now my traffic is normal since last ten day. i implemented below thing on my server.
1) I have created firewall script, in my firewall script i have implement first allow rule and then drop. afterwords i have changed rules series first is drop and then allow.
2) We are using this server for demo purpose that's so many site are live. I have removed unnessery site those are deployed on client server. at present only five site is running on our demo server.
Thank you All for giving me good suggestion.
Now my traffic is normal since last ten day. i implemented below thing on my server.
1) I have created firewall script, in my firewall script i have implement first allow rule and then drop. afterwords i have changed rules series first is drop and then allow.
2) We are using this server for demo purpose that's so many site are live. I have removed unnessery site those are deployed on client server. at present only five site is running on our demo server.
--
Thanks,
Bhavin Mehta
Thank you All for giving me good suggestion.
Now my traffic is normal since last ten day. i implemented below thing on my server.
1) I have created firewall script, in my firewall script i have implement first allow rule and then drop. afterwords i have changed rules series first is drop and then allow.
2) We are using this server for demo purpose that's so many site are live. I have removed unnessery site those are deployed on client server. at present only five site is running on our demo server.
Thank you All for giving me good suggestion.
Now my traffic is normal since last ten day. i implemented below thing on my server.
1) I have created firewall script, in my firewall script i have implement first allow rule and then drop. afterwords i have changed rules series first is drop and then allow.
2) We are using this server for demo purpose that's so many site are live. I have removed unnessery site those are deployed on client server. at present only five site is running on our demo server.
How to resolve this issue.
--
Thanks,
BhavinThanks and Regards.--
--
Nilesh Vaghela
(RHCSA RHCE)
ElectroMech Corporation
Redhat Channel Partner and Training Partner
302, New York Plaza, Opp Judges Bunglow, Bodakdev, Ahmedabad
22, 1st Floor, Vardhaman Complex, Subhanpura , Baroda.
www.electromech.info
--
Please read http://www.catb.org/~esr/faqs/smart-questions.html before posting.
You received this message because you are subscribed to the "Vibrant GNU/Linux User Group".
To stop receiving emails from this group, mail to VGLUG+un...@googlegroups.com
To post to this group, send email to VG...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/VGLUG
---
You received this message because you are subscribed to the Google Groups "VGLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vglug+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
Thanks,
Bhavin Mehta
Hiren Mistry
Mar 1, 2013, 6:09:17 AM3/1/13
to vg...@googlegroups.com, vglug
Hi
This is better to first install IPS server in your server so that it will automatically manage some huge request on the server.
Regards,
Hiren Mistry
+91-9920646204
This is better to first install IPS server in your server so that it will automatically manage some huge request on the server.
Regards,
Hiren Mistry
+91-9920646204
RAVI CHOKSI
Mar 6, 2013, 1:50:11 AM3/6/13
to LINUX SOLUTION
Hello,
Please, Try one..
Step1: First you can sure, how many applications running in your network
{which is using internet bandwidth}
Step2: If you have, Firewall then Configure the firewall rules, with the Qos Policies.
You can manage your Internet Bandwidth easily..
I hope, you will understand.. Try this trick..
Thanks' & Regards,
RaviChoksi
Date: Fri, 1 Mar 2013 03:09:17 -0800
From: hirenmi...@gmail.com
To: vg...@googlegroups.com
CC: VG...@googlegroups.com
Subject: [VGLUG] Re: Attack on my server
Please, Try one..
Step1: First you can sure, how many applications running in your network
{which is using internet bandwidth}
Step2: If you have, Firewall then Configure the firewall rules, with the Qos Policies.
You can manage your Internet Bandwidth easily..
I hope, you will understand.. Try this trick..
RaviChoksi
Date: Fri, 1 Mar 2013 03:09:17 -0800
From: hirenmi...@gmail.com
To: vg...@googlegroups.com
CC: VG...@googlegroups.com
Subject: [VGLUG] Re: Attack on my server
Reply all
Reply to author
Forward
0 new messages