LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-08-2015, 08:39 AM   #1
norkers
Member
 
Registered: Feb 2002
Location: earth
Distribution: debian lenny
Posts: 55

Rep: Reputation: 15
Question Debian server on Linode - drive is full


Hi all,

I have recently become responsible for a server which a former employee set up, which hosts a couple of sites and email for us. The problem is, the drive keeps filling up, I think with log files, however I'm not 100%.

To combat this in the interim I have been using...

cat /dev/null > syslog
cat /dev/null > mail.info
cat /dev/null > mail.warn
cat /dev/null > mail.log

to free up a hundred or so megs so the server will function, but obviously I need to find the root of the problem.

Output of 'df -h' gives...

Code:
[root@web2 log] df -h
Filesystem      Size  Used Avail Use% Mounted on
rootfs          9.5G  9.4G   52M 100% /
/dev/root       9.5G  9.4G   52M 100% /
devtmpfs        2.0G     0  2.0G   0% /dev
tmpfs           405M  212K  405M   1% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           912M     0  912M   0% /run/shm
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client1/web1/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client1/web2/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client1/web4/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client1/web5/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client2/web6/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client3/web8/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client4/web9/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client5/web10/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client6/web11/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client7/web12/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client9/web13/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client11/web15/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client10/web16/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client12/web21/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client11/web22/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client11/web23/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client12/web24/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client13/web25/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client14/web26/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client10/web27/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client15/web28/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client16/web30/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client17/web31/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client14/web33/log
/dev/root       9.5G  9.4G   52M 100% /var/www/clients/client18/web34/log
Can anyone point me in the right direction?

Thanks!

norkers
 
Old 01-08-2015, 08:46 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,104

Rep: Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310
Check /var/log and see what files are in there, check your web server config files to see where the sites are logging to, check mail folders for size usage.

Hopefully someone that knows a bit more about debian will come by and you'll get more detailed help and paths.

Last edited by TenTenths; 01-08-2015 at 08:46 AM. Reason: Doh! Didn't read the thread title! :(
 
Old 01-08-2015, 09:22 AM   #3
norkers
Member
 
Registered: Feb 2002
Location: earth
Distribution: debian lenny
Posts: 55

Original Poster
Rep: Reputation: 15
Hi TenTenths, thanks for the reply. I must confess, I am not good with server config as I've been strictly a home user for some years - what I really need is someone who's had a similar problem who can give me some concrete instructions. Let me apologise in advance for my lack of skills!

One thing though, the log files go to the /var/www/clients... mount points. I don't know if this indicates something. ISPConfig is also set up on the machine and seems to be creating all these mountpoints (I think!).

Thanks
 
Old 01-08-2015, 09:28 AM   #4
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,104

Rep: Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310
Quote:
Originally Posted by norkers View Post
Hi TenTenths, thanks for the reply. I must confess, I am not good with server config as I've been strictly a home user for some years - what I really need is someone who's had a similar problem who can give me some concrete instructions.
I'm also sorry I can't give you concrete advice on debian, I'm a server guy but 99.99% CentOS/RedHat!
 
Old 01-09-2015, 06:32 AM   #5
norkers
Member
 
Registered: Feb 2002
Location: earth
Distribution: debian lenny
Posts: 55

Original Poster
Rep: Reputation: 15
I don't know if this helps but it concerns me, in the auth.log file...

Code:
Jan  5 08:27:10 web2 sshd[17080]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Jan  5 08:27:12 web2 sshd[17080]: Failed password for root from 103.41.124.41 port 38026 ssh2
Jan  5 08:27:14 web2 sshd[17080]: Failed password for root from 103.41.124.41 port 38026 ssh2
Jan  5 08:27:17 web2 sshd[17080]: Failed password for root from 103.41.124.41 port 38026 ssh2
Jan  5 08:27:17 web2 sshd[17080]: Received disconnect from 103.41.124.41: 11:  [preauth]
Jan  5 08:27:17 web2 sshd[17080]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Jan  5 08:27:18 web2 sshd[17082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Jan  5 08:27:20 web2 sshd[17082]: Failed password for root from 103.41.124.41 port 55459 ssh2
Jan  5 08:27:23 web2 sshd[17082]: Failed password for root from 103.41.124.41 port 55459 ssh2
Jan  5 08:27:25 web2 sshd[17082]: Failed password for root from 103.41.124.41 port 55459 ssh2
Jan  5 08:27:25 web2 sshd[17082]: Received disconnect from 103.41.124.41: 11:  [preauth]
Jan  5 08:27:25 web2 sshd[17082]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Jan  5 08:29:49 web2 sshd[17272]: Invalid user Jewel from 157.7.199.67
Jan  5 08:29:49 web2 sshd[17272]: input_userauth_request: invalid user Jewel [preauth]
Jan  5 08:29:49 web2 sshd[17272]: pam_unix(sshd:auth): check pass; user unknown
This is just a snippet, there's alot of it, loads of different user names and passwords changed. Can't see that anyone has gained access. From what I can see it looks like we are trying to send emails from users I know don't exist (fake.name@realdomain.com) to yahoo and google addresses, which could indicate why some users struggle to send to gmail addresses. I think we may be under attack here, but I lack the technical know how to fix it. Any thoughts guys?

Thanks,

Last edited by norkers; 01-09-2015 at 06:32 AM. Reason: typo
 
Old 01-09-2015, 06:35 AM   #6
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,104

Rep: Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310
Those are login attempts from an IP in Hong Kong.

Do you really need to allow SSH access from "anywhere" to that server?

If you have to allow it then take a look at fail2ban which will block an IP from accessing your server for a period of time after a number of failed logins.
 
Old 01-09-2015, 08:59 AM   #7
norkers
Member
 
Registered: Feb 2002
Location: earth
Distribution: debian lenny
Posts: 55

Original Poster
Rep: Reputation: 15
I've checked fail2ban - it's installed. The jail.conf file seems to allow 6 retries on ssh access - do you think I'd be safe to change this to 2? Are you experienced with this package? The reason I ask is that there is only fail2ban.conf and jail.conf, although a couple of guides I've looked at online recommend a fail2ban.local file.

Either way it seems to be working, and the fail2ban log file shows it blocking IPs. I guess it's covered! I'll keep reading and see if I can refine the setup.

I've managed to free up some space deleting old emails from unused accounts. I've removed these accounts using ISPConfig which doesn't seem to have actually deleted the files. Do you think I'm okay deleting the directories for these emails and sites that have been deleted with ISPConfig without some kind of catastrophic system failure?
 
Old 01-09-2015, 09:35 AM   #8
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,104

Rep: Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310Reputation: 1310
For fail2ban I have SSH set to 5 attempts in 10 minutes, you could reduce it to 2 if you want but be aware that it will generally affect you logging in to the system as well, so if you're like me and sometimes take a couple of goes to remember your password then set it accordingly.

I've never used ISPConfig so can't really comment on that.
 
Old 01-16-2015, 09:51 AM   #9
norkers
Member
 
Registered: Feb 2002
Location: earth
Distribution: debian lenny
Posts: 55

Original Poster
Rep: Reputation: 15
Okay, I think I'm getting somewhere. The server is being used to spam. This is a section from the mail.log.....

Quote:
Jan 16 06:44:44 web2 postfix/qmgr[4907]: 4072A67AB6: from=<leslie_pace@xxxxxxxx.co.uk>, size=1223, nrcpt=1 (queue active)
Jan 16 06:44:44 web2 postfix/error[6808]: 4072A67AB6: to=<asak1988@yahoo.com>, relay=none, delay=874, delays=874/0.02/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.34] while sending RCPT TO)
leslie_pace is not one of our mailboxes, however the domain (I've x'd it out) is ours.

As far as I can see, nodoby has gained root access and no passwords have been changed. Is this a problem with the SMTP server being unsecure? Is there a way of securing the SMTP side of things?

Any help would be appreciated! I'm migrating emails and websites away from this server, however it contains some bespoke systems which I cannot afford to mess up, so I could do with securing the server.

Any ideas?

Ta
 
Old 01-16-2015, 09:55 AM   #10
norkers
Member
 
Registered: Feb 2002
Location: earth
Distribution: debian lenny
Posts: 55

Original Poster
Rep: Reputation: 15
also, no email accounts on this server can send to gmail. hotmail, yahoo, etc... so clearly we're blacklisted due to the spam situation.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Slackware64 14.1 (Linode) arpanetguru Slackware 5 02-19-2014 01:31 PM
Debian, FreeBSD and Windows Server 2008 R2 on the same hard drive. Andrey_Olegovich Linux - Newbie 1 07-31-2012 05:18 AM
Manage Debian server if the main partition is quite full cccc Debian 4 04-30-2012 03:51 PM
usb hard drive ntfs attached to debian 5 server ataomega Linux - Hardware 2 08-28-2009 04:08 AM
My server hard drive is full!!! stefane321 Linux - Server 1 06-27-2009 02:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration