Someone is attacking my server everyday and I really don't know what to do
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Someone is attacking my server everyday and I really don't know what to do
Hello,
I have 100mbit dedicated server and everyday the server is attacked randomaly and I can't access to the server, a lot of timeouts, it looks like this when I am pinging it:
Code:
Pinging x.x.x.x with 32 bytes of data:
Request timed out.
Request timed out.
Reply from x.x.x.x: bytes=32 time=11ms TTL=58
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from x.x.x.x: bytes=32 time=10ms TTL=58
Reply from x.x.x.x: bytes=32 time=10ms TTL=58
Request timed out.
Request timed out.
Reply from x.x.x.x: bytes=32 time=12ms TTL=58
Request timed out.
etc ........
I don't know how to locate the IP addresses that are doing it.
I don't know how to check which type of attack it is.
I don't know how to secure it.
And I don't know what to tell to my customers, everyday they are having troubles with my server and I am losing money everyday because of this annoying attacker.
please help me, I am in a very bad situation in here, I started to think about leaving the hosting and sell my servers, I am losing money and customers everyday!
Every help will be appreciated and please try to be specfic because I am not unix professional.
Thanks in advance.
Instead of immediately suspecting an attack, better to start at network hardware (device interfaces) and work all the way up the stack to the OS. You may find that it is a network problem. Call your hosting provider.
...etc ........
I don't know how to locate the IP addresses that are doing it.
I don't know how to check which type of attack it is.
I don't know how to secure it.
And I don't know what to tell to my customers, everyday they are having troubles with my server and I am losing money everyday because of this annoying attacker.
please help me, I am in a very bad situation in here...
I don't want to suggest attacks are in any way something that shouldn't be taken seriously, but you haven't given the rest of us any reason to believe there is anything going on here, apart from the there is a networking problem somewhere. So, what is your evidence, as you are so sure?
what do you mean by the server is attacked randomly? do you mean that at a random point in time during the day the machine in question is unreachable? do you mean that once the networking issues start they persist for some random amount of time?
have you tried to traceroute and verify that it is your system? checked the inbound network traffic? checked with your isp?
Yes, you must check the logs... perhaps make logging more verbose for whatever servers you are running; if you aren't running a particular server software, then inbound connections to the ports that it uses should just disappear.
I had a bunch of dictionary/common name attacks to my ssh server, so i disabled password authentication over ssh, forcing everyone to use keys; you can also find some packages that will deny an IP access to your machine after a certain number of failed access attempts, at the firewall level - this is effective for denial of service attacks, which, if your server is really being attacked, is probably what's going on.
Your issue is lacking details in the extreme. Providing some example of the issue you're facing is usually critical in receiving any type of help in these forums: firewall logs, system logs, apache logs...even netstat snapshots may help more than submitting no data at all.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.