LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Server does not responds to http requests (firewall problem) (http://www.linuxquestions.org/questions/linux-server-73/server-does-not-responds-to-http-requests-firewall-problem-788556/)

DiogoAbdalla 02-11-2010 06:46 PM

Server does not responds to http requests (firewall problem)
 
Hello all. Im here to ask for some urgent help, will be really grateful if anyone can help.

Im a web programmer on a small web agency in São Paulo. We have this remote server (a RedHat dedicated server) where our site and many client sites are hosted.

Since we got noone to manage the server, Ive been doing it myself (mostly simple tasks like creating users, installing stuff, restarting apache, etc). I got the server all configured an running, i didnt do it myself.

Today we received an e-mail from the server company saying that our server was being used for DDS attacks. A since we (I) are responsible for managing it, was up to me to find whats was going on an prevent it.

So first Ive changed the root password. All ok. Than I found our security logs and saw that our server was constantly receiving repeated login attempts from my IPs, trying to login usually as root.

So I did some research, found people with similiar situations and found the advice that I should change our SSH port from 22 to something else, that it should help avoiding this kind of attacks.

So I followed this procedure (http://forums.burst.net/archive/index.php/t-3100.html) to change the SSH port to 47, also opening that port on iptables.

Restarted ssh, restarted iptables. All seems fine: I could log in SSH with port 47, perfect.

But something happened. Now none of our domains are loading. For example:

http://www.alfaiataria.net/

No error messages are received, it just times out. Also, the requests are not logged, is like it never happens, but no error is ever received.

Ive restarted apache and mysql: did not solve. Ive undone the changes I had done: no changes.

So I just dont know what to do anymore. Where should I look to know whats going on? What can be happening? What I broke here, how?

Please, please, help. Any tip, hint, information, anything will be much appreciated.

Thanks

hoodooman 02-11-2010 08:37 PM

I cant help you with your problem.I can say to you that marking your thread as Urgent is a bad idea.Everyone here is a volunteer and your urgency means little to them.People will respond when they have the time.Relax and the replies will come.

chrism01 02-11-2010 10:38 PM

ssh (port 22) and Apache (port 80 : http) are unrelated. You may be thinking of ssl (port 443; used for secure https).


1. always set "PermitRootLogin No" in sshd_config. Use another acct then 'su -' up to root if you need that level of access.
2. you can slowdown attacks using the fail2ban tool.
3. for your Apache issues, try to connect yourself (don't take someone else's word for it) and check the Apache error_log & access_log http://httpd.apache.org/docs/2.2/logs.html.
Also the system logs eg /var/log/messages.

Please post Redhat name & version eg

cat /etc/*release*

and the Apache version

httpd -v

anomie 02-11-2010 11:38 PM

The names resolves, and httpd is listening on tcp port 80.

Code:

$ host www.alfaiataria.net
www.alfaiataria.net is an alias for anydesign-web01.uolhostidc.com.br.
anydesign-web01.uolhostidc.com.br has address 189.38.58.242

$ nc -zvw 1 www.alfaiataria.net 80
Connection to www.alfaiataria.net 80 port [tcp/http] succeeded!

Check Apache web server's logs, as mentioned.

DiogoAbdalla 02-12-2010 07:06 AM

Quote:

Originally Posted by hoodooman (Post 3860969)
I cant help you with your problem.I can say to you that marking your thread as Urgent is a bad idea.Everyone here is a volunteer and your urgency means little to them.People will respond when they have the time.Relax and the replies will come.

I know people here are volunteers and will not run to help me just because I said "urgent", I only put that on the title because, well, it was urgent, I was desperate. I changed the tile.

Anyway, I ended up solving my own problem. I found out where i had messed up: on the firewall. After I added a rule to open port 47 on iptables and restarted it, for some reason port 80 got closed.

And I dont understand, since all Ive done was to add this line to it:
Code:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 47 -j ACCEPT
So iptables was like this:

Code:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 47 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Looking closely at it, I realized that its wasnt opening port 80, which is the apache port. So I changed again to:

Code:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 447 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Restarted and everything was working again. What I cant understand is how it was working before, since I never removed any lines, just added the rule to open 47.

But what about know? Is this iptables correct, secure, good? All I know is that it is working.

And by the way, this server is a: "Red Hat Enterprise Linux Server release 5.1 (Tikanga)" and Apache is "Apache/1.3.41 (Unix)".

Anyway, thank you a lot for the replies. I will set "PermitRootLogin No" and will look at that fail2ban tool.


All times are GMT -5. The time now is 06:22 AM.