LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 02-11-2010, 06:46 PM   #1
DiogoAbdalla
LQ Newbie
 
Registered: Feb 2010
Posts: 3

Rep: Reputation: 0
Unhappy Server does not responds to http requests (firewall problem)


Hello all. Im here to ask for some urgent help, will be really grateful if anyone can help.

Im a web programmer on a small web agency in São Paulo. We have this remote server (a RedHat dedicated server) where our site and many client sites are hosted.

Since we got noone to manage the server, Ive been doing it myself (mostly simple tasks like creating users, installing stuff, restarting apache, etc). I got the server all configured an running, i didnt do it myself.

Today we received an e-mail from the server company saying that our server was being used for DDS attacks. A since we (I) are responsible for managing it, was up to me to find whats was going on an prevent it.

So first Ive changed the root password. All ok. Than I found our security logs and saw that our server was constantly receiving repeated login attempts from my IPs, trying to login usually as root.

So I did some research, found people with similiar situations and found the advice that I should change our SSH port from 22 to something else, that it should help avoiding this kind of attacks.

So I followed this procedure (http://forums.burst.net/archive/index.php/t-3100.html) to change the SSH port to 47, also opening that port on iptables.

Restarted ssh, restarted iptables. All seems fine: I could log in SSH with port 47, perfect.

But something happened. Now none of our domains are loading. For example:

http://www.alfaiataria.net/

No error messages are received, it just times out. Also, the requests are not logged, is like it never happens, but no error is ever received.

Ive restarted apache and mysql: did not solve. Ive undone the changes I had done: no changes.

So I just dont know what to do anymore. Where should I look to know whats going on? What can be happening? What I broke here, how?

Please, please, help. Any tip, hint, information, anything will be much appreciated.

Thanks

Last edited by DiogoAbdalla; 02-12-2010 at 07:07 AM. Reason: changed title
 
Old 02-11-2010, 08:37 PM   #2
hoodooman
Member
 
Registered: Oct 2006
Location: Stirling in Scotland
Distribution: Slackware 13.37 64 bit
Posts: 297

Rep: Reputation: 42
I cant help you with your problem.I can say to you that marking your thread as Urgent is a bad idea.Everyone here is a volunteer and your urgency means little to them.People will respond when they have the time.Relax and the replies will come.
 
Old 02-11-2010, 10:38 PM   #3
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,093

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
ssh (port 22) and Apache (port 80 : http) are unrelated. You may be thinking of ssl (port 443; used for secure https).


1. always set "PermitRootLogin No" in sshd_config. Use another acct then 'su -' up to root if you need that level of access.
2. you can slowdown attacks using the fail2ban tool.
3. for your Apache issues, try to connect yourself (don't take someone else's word for it) and check the Apache error_log & access_log http://httpd.apache.org/docs/2.2/logs.html.
Also the system logs eg /var/log/messages.

Please post Redhat name & version eg

cat /etc/*release*

and the Apache version

httpd -v
 
Old 02-11-2010, 11:38 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, FreeBSD
Posts: 3,925
Blog Entries: 5

Rep: Reputation: Disabled
The names resolves, and httpd is listening on tcp port 80.

Code:
$ host www.alfaiataria.net
www.alfaiataria.net is an alias for anydesign-web01.uolhostidc.com.br.
anydesign-web01.uolhostidc.com.br has address 189.38.58.242

$ nc -zvw 1 www.alfaiataria.net 80
Connection to www.alfaiataria.net 80 port [tcp/http] succeeded!
Check Apache web server's logs, as mentioned.
 
Old 02-12-2010, 07:06 AM   #5
DiogoAbdalla
LQ Newbie
 
Registered: Feb 2010
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by hoodooman View Post
I cant help you with your problem.I can say to you that marking your thread as Urgent is a bad idea.Everyone here is a volunteer and your urgency means little to them.People will respond when they have the time.Relax and the replies will come.
I know people here are volunteers and will not run to help me just because I said "urgent", I only put that on the title because, well, it was urgent, I was desperate. I changed the tile.

Anyway, I ended up solving my own problem. I found out where i had messed up: on the firewall. After I added a rule to open port 47 on iptables and restarted it, for some reason port 80 got closed.

And I dont understand, since all Ive done was to add this line to it:
Code:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 47 -j ACCEPT
So iptables was like this:

Code:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 47 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Looking closely at it, I realized that its wasnt opening port 80, which is the apache port. So I changed again to:

Code:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 447 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Restarted and everything was working again. What I cant understand is how it was working before, since I never removed any lines, just added the rule to open 47.

But what about know? Is this iptables correct, secure, good? All I know is that it is working.

And by the way, this server is a: "Red Hat Enterprise Linux Server release 5.1 (Tikanga)" and Apache is "Apache/1.3.41 (Unix)".

Anyway, thank you a lot for the replies. I will set "PermitRootLogin No" and will look at that fail2ban tool.

Last edited by DiogoAbdalla; 02-12-2010 at 07:11 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange ARP behavior : A linux server responds to all ARP requests Hdvd21 Linux - Networking 4 10-24-2013 05:02 AM
redirect all http requests to a different squid proxy server r2d2#jedi Linux - Networking 1 05-27-2009 12:31 AM
Server took a poo, responds to pings but no http/ssh requests. Heres my log... zushiba Linux - Networking 2 05-14-2009 03:35 PM
How to use tcpdump to be able to see http requests sent to the server? helptonewbie Linux - Networking 4 01-12-2009 09:33 AM
Can't get my http server to respond to requests... garydamm Linux - Networking 9 01-16-2005 10:00 AM


All times are GMT -5. The time now is 07:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration