Server does not responds to http requests (firewall problem)
Hello all. Im here to ask for some urgent help, will be really grateful if anyone can help.
Im a web programmer on a small web agency in São Paulo. We have this remote server (a RedHat dedicated server) where our site and many client sites are hosted.
Since we got noone to manage the server, Ive been doing it myself (mostly simple tasks like creating users, installing stuff, restarting apache, etc). I got the server all configured an running, i didnt do it myself.
Today we received an e-mail from the server company saying that our server was being used for DDS attacks. A since we (I) are responsible for managing it, was up to me to find whats was going on an prevent it.
So first Ive changed the root password. All ok. Than I found our security logs and saw that our server was constantly receiving repeated login attempts from my IPs, trying to login usually as root.
So I did some research, found people with similiar situations and found the advice that I should change our SSH port from 22 to something else, that it should help avoiding this kind of attacks.
So I followed this procedure (http://forums.burst.net/archive/index.php/t-3100.html) to change the SSH port to 47, also opening that port on iptables.
Restarted ssh, restarted iptables. All seems fine: I could log in SSH with port 47, perfect.
But something happened. Now none of our domains are loading. For example:
No error messages are received, it just times out. Also, the requests are not logged, is like it never happens, but no error is ever received.
Ive restarted apache and mysql: did not solve. Ive undone the changes I had done: no changes.
So I just dont know what to do anymore. Where should I look to know whats going on? What can be happening? What I broke here, how?
Please, please, help. Any tip, hint, information, anything will be much appreciated.
I cant help you with your problem.I can say to you that marking your thread as Urgent is a bad idea.Everyone here is a volunteer and your urgency means little to them.People will respond when they have the time.Relax and the replies will come.
ssh (port 22) and Apache (port 80 : http) are unrelated. You may be thinking of ssl (port 443; used for secure https).
1. always set "PermitRootLogin No" in sshd_config. Use another acct then 'su -' up to root if you need that level of access.
2. you can slowdown attacks using the fail2ban tool.
3. for your Apache issues, try to connect yourself (don't take someone else's word for it) and check the Apache error_log & access_log http://httpd.apache.org/docs/2.2/logs.html.
Also the system logs eg /var/log/messages.
Please post Redhat name & version eg
and the Apache version
The names resolves, and httpd is listening on tcp port 80.
Anyway, I ended up solving my own problem. I found out where i had messed up: on the firewall. After I added a rule to open port 47 on iptables and restarted it, for some reason port 80 got closed.
And I dont understand, since all Ive done was to add this line to it:
But what about know? Is this iptables correct, secure, good? All I know is that it is working.
And by the way, this server is a: "Red Hat Enterprise Linux Server release 5.1 (Tikanga)" and Apache is "Apache/1.3.41 (Unix)".
Anyway, thank you a lot for the replies. I will set "PermitRootLogin No" and will look at that fail2ban tool.
|All times are GMT -5. The time now is 10:38 PM.|