Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have debian server that goes down after a day for a past weeks. How can i check for sure if the server is compromised or there is some missconfigiuration.
Previously i turned off the ssl site with a2dissite but the 443 port is still listening. Could it be some missconfiguration?
First of all we need to know if the server goes down everyday at the same time or at different times. It might be possible that someone has set a cronjob to reboot the server everyday. Are you the only person who manages this server?
I don't think that removing SSL will lead to this situation. Ofcourse, there are chances of misconfiguration in apache2 but that should not lead to server reboot unless severe.
not it doesn't go down at a same time. I am the only person who manage it and there are no cron jobs for restarting. The bios is set to power on the pc if there were power down.
Previously i turned off the ssl site with a2dissite but the 443 port is still listening. Could it be some missconfiguration?
Look at the output of the PS and NETSTAT commands to see what application is listening on the port:
Code:
netstat -pane
and
ps aux
You will probably need to run these as root or use sudo to get meaningful information since the process is probably not running under your account and has a privileged port associated with it.
[Thu Dec 15 22:33:27 2011] [notice] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Thu Dec 15 22:33:27 2011] [notice] mod_python: using mutex_directory /tmp
[Thu Dec 15 22:33:28 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Thu Dec 15 23:14:11 2011] [notice] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Thu Dec 15 23:14:11 2011] [notice] mod_python: using mutex_directory /tmp
[Thu Dec 15 23:14:11 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Fri Dec 16 07:52:59 2011] [error] [client 211.191.168.214] Invalid method in request \x80d\x01\x03\x01
[Sun Dec 18 04:09:56 2011] [error] [client 60.248.96.108] File does not exist: /htdocs
[Sun Dec 18 04:30:09 2011] [error] [client 203.144.218.148] Invalid method in request \x80d\x01\x03\x01
[Sun Dec 18 13:55:16 2011] [notice] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Sun Dec 18 13:55:16 2011] [notice] mod_python: using mutex_directory /tmp
[Sun Dec 18 13:55:17 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Sun Dec 18 23:59:27 2011] [error] [client 79.229.145.51] Invalid method in request \x16\x03\x01
[Mon Dec 19 06:07:37 2011] [error] [client 209.170.68.70] File does not exist: /htdocs
[Mon Dec 19 16:57:55 2011] [notice] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Mon Dec 19 16:57:55 2011] [notice] mod_python: using mutex_directory /tmp
[Mon Dec 19 16:57:56 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Mon Dec 19 17:18:50 2011] [notice] caught SIGTERM, shutting down
[Mon Dec 19 17:18:51 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
[Mon Dec 19 17:27:26 2011] [notice] caught SIGTERM, shutting down
[Mon Dec 19 17:27:28 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 20 03:35:17 2011] [error] [client 216.129.118.139] Invalid method in request \x16\x03\x03
[Tue Dec 20 03:35:20 2011] [error] [client 216.129.118.139] Invalid URI in request \x16\x03\x03\x02\v\x01
[Tue Dec 20 03:35:21 2011] [error] [client 216.129.118.139] Invalid method in request \x16\x03\x01
[Tue Dec 20 05:15:09 2011] [error] [client 108.59.254.227] File does not exist: /htdocs
[Tue Dec 20 13:37:55 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 20 15:02:30 2011] [notice] caught SIGTERM, shutting down
[Tue Dec 20 15:02:31 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 20 15:08:09 2011] [notice] caught SIGTERM, shutting down
[Tue Dec 20 15:08:10 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Tue Dec 20 15:08:10 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Tue Dec 20 15:08:10 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 20 15:08:49 2011] [notice] caught SIGTERM, shutting down
[Tue Dec 20 15:08:50 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Tue Dec 20 15:08:51 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Tue Dec 20 15:08:51 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 20 15:09:35 2011] [notice] caught SIGTERM, shutting down
[Tue Dec 20 15:09:36 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Tue Dec 20 15:09:36 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Tue Dec 20 15:09:36 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 20 15:10:45 2011] [notice] Graceful restart requested, doing restart
[Tue Dec 20 15:10:46 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 20 15:11:11 2011] [error] [client 95.111.108.147] File does not exist: /htdocs
[Tue Dec 20 15:11:11 2011] [error] [client 95.111.108.147] File does not exist: /htdocs
[Tue Dec 20 15:11:11 2011] [error] [client 95.111.108.147] File does not exist: /htdocs
[Tue Dec 20 15:11:11 2011] [error] [client 95.111.108.147] File does not exist: /htdocs
[Tue Dec 20 15:11:33 2011] [notice] Graceful restart requested, doing restart
[Tue Dec 20 15:11:34 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Tue Dec 20 15:11:34 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 20 15:12:14 2011] [notice] caught SIGTERM, shutting down
[Tue Dec 20 15:12:15 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Tue Dec 20 15:12:15 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Tue Dec 20 15:12:15 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 20 15:12:53 2011] [error] [client 95.111.108.147] File does not exist: /var/www/ssl/favicon.ico
[Tue Dec 20 15:12:53 2011] [error] [client 95.111.108.147] File does not exist: /var/www/ssl/favicon.ico
[Tue Dec 20 15:12:53 2011] [error] [client 95.111.108.147] File does not exist: /var/www/ssl/favicon.ico
[Wed Dec 21 05:51:45 2011] [error] [client 59.90.148.14] File does not exist: /htdocs
[Wed Dec 21 07:51:04 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Wed Dec 21 07:51:04 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Wed Dec 21 07:51:04 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Wed Dec 21 07:51:23 2011] [notice] caught SIGTERM, shutting down
[Wed Dec 21 07:51:24 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Wed Dec 21 07:51:25 2011] [warn] RSA server certificate CommonName (CN) `debian' does NOT match server name!?
[Wed Dec 21 07:51:25 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Wed Dec 21 07:53:46 2011] [notice] Graceful restart requested, doing restart
[Wed Dec 21 07:53:46 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Wed Dec 21 08:53:06 2011] [error] [client 46.234.116.252] Invalid method in request \x16\x03\x01
[Wed Dec 21 17:21:52 2011] [error] [client 78.111.92.109] File does not exist: /htdocs
[Thu Dec 22 07:39:50 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Thu Dec 22 10:51:01 2011] [error] [client 67.137.238.164] Invalid method in request \x80e\x01\x03\x01
[Thu Dec 22 19:20:19 2011] [error] [client 217.76.63.15] File does not exist: /htdocs
[Mon Dec 26 10:44:10 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Mon Dec 26 14:54:30 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Tue Dec 27 06:40:40 2011] [error] [client 200.180.46.204] File does not exist: /htdocs
[Thu Dec 29 09:29:59 2011] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Thu Dec 29 09:59:05 2011] [notice] caught SIGTERM, shutting down
[Thu Dec 29 09:59:06 2011] [notice] Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Thu Dec 29 10:05:28 2011] [notice] Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
[Thu Dec 29 10:33:04 2011] [notice] caught SIGTERM, shutting down
[Thu Dec 29 10:35:18 2011] [notice] Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations
What SIGTERM means and what program couse it? How can i find?
In linux there are different types of signal which are sent to a process either by the parent process or by init process. init is parent of all processes. In system when you start a service it gives birth to a process and that process becomes the parent process. This parent process in turn give birth to child process. Life cycle of a process can be defined as follows:
birth - where a process will take birth
run - process will run.
sleep - it will sleep until it get further instructions
death - finally it will die.
During this cycle a process receive signals either from the parent process or by init depending upon the situation. SIGTERM is a kind of signal which is send to a process requesting it to terminate. And yes, SIGTERM comes under special signals which a process cannot overlook.
The above is my understanding of signals and process handling. I might be wrong.
From the output it appears that there is some misconfiguration either in ssl or php configuration. As you said that it started couple of weeks ago. Do you remember of making any specific change. Did you take a backup of configuration files before editing them?
There was a ssl site that i removed, because i planed to change it with other. Probably i deleted the folder but not removed the configuration for the site. Plus the svn repo was reconfigured wrong.
I will make all configurations on clean, but that gives me a look in security and how important it is.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.