I have one wallpaper site that I brought keeps getting attacked recently and as I am newbie to sysadmin and linux stuff so it makes it even worse.
In september I was using hetzner and they blocked my ip and sent this log:
http://pastebin.com/7ghVhvp8 I was using CentOS 7 with this tutorial:
http://bit.ly/2hREs60 . After that I moved my other sites to linode.com and wallpaper site to OVh and it was working until few days back.
#First:
Our anti-spam protection layer has detected that your IP 192.99.33.142 is sending spam.
Destination IP: 183.79.16.119 - Message-ID: 74d33822d902d156306d2e39b5f4bbbe@ - Spam score: 500
Destination IP: 65.20.0.49 - Message-ID: 8569140d51f1cb122028e95fec15c25f@ - Spam score: 500
Destination IP: 65.20.0.49 - Message-ID: 161158af00da76e035282b967860845a@ - Spam score: 500
Destination IP: 184.150.200.82 - Message-ID: 976c517db1b015c4de91b549154cf905@ - Spam score: 500
Destination IP: 182.22.12.248 - Message-ID: 7b8df29f2b2c25c278d6b723ecb8ea53@ - Spam score: 500
#Then:
You can find the logs brought up by our system below which led to this alert.
- START OF ADDITIONAL INFORMATION -
Attack detail : 186Kpps/56Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
Image:
http://i.imgur.com/Gn4Qneq.png
( I was using debian 7 ispconfig3 with firewall enabled)
Since then I have reinstall the server, used ispconfig firewall, disabled smtp for now, hardened my wordpress and got paid cloudflare website firewall and now major problem seems to be solved.But today I received this message:
"Detection of an attack on IP address 192.99.33.142" I enabled "Im'under attack" on cloudflare I got "End of attack on IP address 192.99.33.142".
To avoid problems like this in the future:
1-Can someone guide me how I can put limits on outgoing udp packets being sent.
2-What is the most effective way to stop spam being sent.I have read about policyd after some googling.
3-Pls pardon my ignorance, but I will appreciate any advice as to how I can hardened my server against these sort of attacks.
Thanks..