I have one wallpaper site that I brought keeps getting attacked recently and as I am newbie to sysadmin and linux stuff so it makes it even worse.

In september I was using hetzner and they blocked my ip and sent this log:http://pastebin.com/7ghVhvp8 I was using CentOS 7 with this tutorial: http://bit.ly/2hREs60 . After that I moved my other sites to linode.com and wallpaper site to OVh and it was working until few days back.

#First:
Our anti-spam protection layer has detected that your IP 192.99.33.142 is sending spam.

Destination IP: 183.79.16.119 - Message-ID: 74d33822d902d156306d2e39b5f4bbbe@ - Spam score: 500
Destination IP: 65.20.0.49 - Message-ID: 8569140d51f1cb122028e95fec15c25f@ - Spam score: 500
Destination IP: 65.20.0.49 - Message-ID: 161158af00da76e035282b967860845a@ - Spam score: 500
Destination IP: 184.150.200.82 - Message-ID: 976c517db1b015c4de91b549154cf905@ - Spam score: 500
Destination IP: 182.22.12.248 - Message-ID: 7b8df29f2b2c25c278d6b723ecb8ea53@ - Spam score: 500

#Then:
You can find the logs brought up by our system below which led to this alert.

- START OF ADDITIONAL INFORMATION -

Attack detail : 186Kpps/56Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:43787 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:51660 94.136.40.66:80 UDP --- 40 ATTACK:UDP
2016.12.11 18:01:28 CET 192.99.33.142:60816 94.136.40.66:80 UDP --- 40 ATTACK:UDP

Image: http://i.imgur.com/Gn4Qneq.png

( I was using debian 7 ispconfig3 with firewall enabled)

Since then I have reinstall the server, used ispconfig firewall, disabled smtp for now, hardened my wordpress and got paid cloudflare website firewall and now major problem seems to be solved.But today I received this message:
"Detection of an attack on IP address 192.99.33.142" I enabled "Im'under attack" on cloudflare I got "End of attack on IP address 192.99.33.142".

To avoid problems like this in the future:
1-Can someone guide me how I can put limits on outgoing udp packets being sent.
2-What is the most effective way to stop spam being sent.I have read about policyd after some googling.
3-Pls pardon my ignorance, but I will appreciate any advice as to how I can hardened my server against these sort of attacks.

Thanks..

What software are you using for your sites? Wordpress? Something hand built? Some random script you downloaded?

If your server is being used to generate spam and attack other servers then you need to address HOW and WHY this is happening rather than trying to mitigate it after the fact by "limit outgoing packets" and "stop spam being sent".

You need to do the whole internet a favour and work out what part of your set up is being exploited and work out a way to mitigate that.

If your sites are revenue generating then I'd suggest you find an experienced linux admin and pay them to sort out your mess.

Site is based on wordpress, I think the whole issue started when I started using ByREV WP-PICShield. I have followed security tutorials on server side security and I am not getting any issues now.but you are right its just a better option to hire experienced freelancer and had him diagnose the real issue. Thanks.

http://codex.wordpress.org/Hardening_WordPress

files = 644
directories 755
Exceptions: cgi-related stuff.

owner seems to be a variable these days, but www-data:www-data is what I've used since, forever.

Typically, Addons/Plugins are the first suspect in my book.
/var/log/apache2/{access,error}.log also.

Outdated or insecure themes, and even Wordpress version.
Current shows 4.7 on Wordpress.

hy

do you have own srver at home or hosting. if you have own server at home i will help you secure best way i know with iptables. you dont need pay me anything.
if you have server at home can you post shematics hove is everything connected to router.

1 members found this post helpful.

Do you really want the webserver able to rewrite it's own content?
Best have it owned by some other user.