1. Block an IP address or an IP range with Iptables
To block a hacker, you need to block its IP address in the firewall on your Linux server.
For this, we will use iptables to block incoming traffic from the IP address “xx.xx.xx.xx” (where xx.xx.xx.xx is the IP address of the hacker).
Code : Bash
|
1
|
iptables -I INPUT -s xx.xx.xx.xx -j DROP |
If the hacker uses an IP range (for example : 10.0.0.10, 10.0.0.11, 10.0.0.12, … 10.0.0.20), simply use this command :
Code : Bash
|
1
|
iptables -I INPUT -m iprange --src-range 10.0.0.10-10.0.0.20 -j DROP |
If you want to block the outgoing connection (your server => other servers) to an IP range, use the “–dst-range” parameter instead of the “–src-range” parameter.
Thus, your server will no longer be able to send data to this IP range.
Code : Bash
|
1
|
iptables -I INPUT -m iprange --dst-range 10.0.0.10-10.0.0.20 -j DROP |
2. Block an attack on the SMTP protocol (SASL authentication) – Postfix
When you secure a mail server, you enable SASL authentication on it to prevent anyone uses your mail server. So, users are forced to authenticate themselves through SASL in order to send mails. Which avoids to blacklist your server on other mail servers because hackers can not use it to send spams.
Because a secure mail server is protected by an authentication, hackers are trying to find credentials of one of your email accounts with a bruteforce attack. In summary, hackers try a list of credentials like “info@your-domain.com”, “contact@your-domain.com”, “webmaster@your-domain.com” … with passwords as “1234”, “home” … or words in the dictionary.
Of course, all these attempts to authenticate on your server are stored in log files.
To list email addresses that the hacker tried to hack, you must list the lines of the “/var/log/auth.log” file, by searching the “auth failure” pattern.
Code : Bash
|
1
|
grep "auth failure" /var/log/auth.log |
It will display something similar to this :
Code : Plain Text
|
1
|
Month Day xx:xx:xx Server name saslauthd[xxxx]: do_auth : auth failure: [user=account@domain.com] [service=smtp] [realm=domain.com] [mech=pam] [reason=PAM auth error] |
To list IP addresses used for these attacks, you must list the lines of the “/var/log/mail.log” file, by searching the “SASL LOGIN authentication failed” pattern.
Code : Bash
|
1
|
grep "SASL LOGIN authentication failed" /var/log/mail.log |
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the attacker.
Code : Plain Text
|
1
|
Month Day xx:xx:xx Server name postfix/smtpd[xxxxx]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: authentication failure |
For users of “Logwatch”, you will see lines like these in the reports that you will receive by mail:
Code : Plain Text
|
1
2
3
4
|
SASL Authentications failed xx Time(s)Service smtp (pam) - xx Time(s):Realm domain.com - xx Time(s):User: account@domain.com - PAM auth error - xx Time(s): |
With this information, you know that a hacker tried these credentials on your server. However, you don’t have his IP address to block it. To find his IP address, refer to the section above.
To install and configure “Logwatch”, refer to our tutorial : Debian / Ubuntu – Detect attacks made against your server with Logwatch
Finally, block the hacker by typing this command :
Code : Bash
|
1
|
iptables -I INPUT -s xx.xx.xx.xx -j DROP |
3. Block an attack on the IMAP / POP3 protocol – Courier
When you configure a complete mail server, you install several things :
- The mail server (usually Postfix)
- The SMTP protocol for sending emails (built into Postfix)
- A webmail (web interface to read his emails)
- IMAP and / or POP3 protocols
IMAP and POP3 protocols used to access his emails with an email client. When you install these protocols, you must allow everyone for the following ports: IMAP (143), IMAPS (993), POP3 (110) and POP3S (995). This allows you to check your mails from any computer, smartphone, … and from anywhere. It also allows anyone (including hackers) to connect to these ports to perform a bruteforce attack.
To list IP addresses used for these attacks, you must list the lines of the “/var/log/mail.log” file, by searching the “LOGIN FAILED” pattern.
Code : Bash
|
1
|
grep "LOGIN FAILED" /var/log/mail.log |
It will display something similar to this :
Note :
– Note that this file contains the history of the POP3 server (pop3d) and the IMAP server (imapd).
– xx.xx.xx.xx is the IP address of the hacker. If a hacker tries to connect using your webmail, the IP address will be “127.0.0.1” or the IP address of your server. In this case, don’t block this IP address, otherwise the webmail will be unusable.
Code : Plain Text
|
1
2
|
Month Day xx:xx:xx Server name pop3d: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]Month Day xx:xx:xx Server name imapd: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx] |
Same if the hacker connects via these protocols secured by SSL (So : POP3S and IMAPS) :
Code : Plain Text
|
1
2
|
Month Day xx:xx:xx Server name pop3d-ssl: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]Month Day xx:xx:xx Server name imapd-ssl: LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx] |
For users of “Logwatch”, you will see lines like these in the reports that you will receive by mail :
Code : Plain Text
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
--------------------- IMAP Begin ------------------------ [IMAPd] Logout stats: ==================== User | Logouts | Downloaded | Mbox Size --------------------------------------- | ------- | ---------- | ---------- account@domain.com | x | xxxx | x --------------------------------------------------------------------------- x | xxxx | x<br> **Unmatched Entries**<br> Failed to connect to socket /tmp/fam-vmail-: x Time(s)<br> LOGIN FAILED, method=PLAIN, ip=[::ffff:xx.xx.xx.xx]: x Time(s)<br> LOGIN FAILED, user=account@domain.com, ip=[::ffff:xx.xx.xx.xx]: x Time(s) ---------------------- IMAP End ------------------------- --------------------- POP-3 Begin ------------------------ [POP3] Login failures: ========================= Host (user) | # ------------------------------------------------------------- | ----------- xx.xx.xx.xx (account@domain.com) | x --------------------------------------------------------------------------- x ---------------------- POP-3 End ------------------------- |
With this information, you will know IP addresses of hackers for “POP3” or “IMAP” protocols.
Finally, block the hacker by typing this command :
Code : Bash
|
1
|
iptables -I INPUT -s xx.xx.xx.xx -j DROP |
4. Block an attack on webmail RoundCube
If a hacker or a malicious person tries to hack one of your email accounts by using your webmail, you must look in the webmail log and not in the IMAP server log.
The reason is simple : the hacker connects to the webmail, and the webmail connects to the imap server. So, you will find only the IP address of the webmail in the IMAP server log.
For the webmail “RoundCube” (which is a professional webmail used by OVH, LWS and other webhost), simply list the lines of the “<RoundCube folder>/logs/errors” file, by searching the “Login failed” pattern.
Code : Bash
|
1
|
grep "Login failed" <RoundCube folder>/logs/errors |
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker.
Code : Plain Text
|
1
|
[Day-Month-Year xx:xx:xx +0200]: <xxxxxxxx> IMAP Error: Login failed for account@domain.com from xx.xx.xx.xx. Could not connect to ssl://imap.domaine.com:993: Connection refused in <RoundCube folder>/program/lib/Roundcube/rcube_imap.php on line 198 (POST /?_task=mail&_action=refresh?_task=&_action=) |
Finally, block the hacker by typing this command :
Code : Bash
|
1
|
iptables -I INPUT -s xx.xx.xx.xx -j DROP |
5. Block an attack on the HTTP / HTTPS protocol – Apache
A web server can also receive an attack.
Hackers attack a web server for several reasons :
- inject malicious code into the apache memory (the most famous Linux web server). What is called a “exploit”.
- attempt to access to administration pages on the server.
- make a server or a website unreachable with a DDOS attack
In the first 2 cases, it’s possible to block attacks the hacker.
In the last case, you must use a reverse proxy or a hardware router (like a Cisco router) to be able to block or mitigate the effects of the DDOS attack.
5.1. Block malicious code injections
For this type of attack, there are two operations to be performed :
- First: Update the web server (Apache) and the “PHP” module (which allows to create dynamic pages) and its extensions.
- Then, block IP addresses of hackers who made these attacks
To detect these attacks, just check the “/var/log/apache2/error.log” file.
Note : the command “tail” allows you to display the xx last lines of the file specified as a parameter.
Code : Bash
|
1
|
tail -n xx /var/log/apache2/error.log |
The attacks “exploits” (using a flaw of a program), if any, are similar to this :
Note : for safety, we have voluntarily truncated those lines.
Code : Plain Text
|
1
2
3
4
5
|
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/cgi-sys, referer: () { :;} ;echo;/usr/local/bin...[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/cgi-mod, referer: () { :;} ;echo;/usr/local/bin...[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/cgi-bin-sdb, referer: () { :;} ;echo;/usr/local/bin...[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/, referer: () { :;} ;echo;/usr/local/bin...[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/, referer: () { :;}; /bin/bash... |
5.2. Block attempts to access administrative pages
The attempts to access administrative pages are easy to identify.
These lines always contain the default addresses of the CMS administration pages.
Here are several examples of attacks received on our web server.
The website administration :
Code : Plain Text
|
1
2
|
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/admin[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] client denied by server configuration: /var/www/administration |
phpMyadmin that allows you to manage your MySQL database from a web interface programmed in PHP :
Code : Plain Text
|
1
2
3
4
|
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phpMyAdmin[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phpMyAdmin-4.2.1-all-languages[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phpMyAdmin-4.2.1-english[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/pma |
MySQLDumper (similar to phpMyAdmin) :
Code : Plain Text
|
1
2
|
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/mysql[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/MySQLDumper |
phpPgAdmin (similar to phpMyAdmin but for PostgreSQL) :
Code : Plain Text
|
1
|
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/phppgadmin |
WordPress :
Code : Plain Text
|
1
2
|
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/wp-admin.php[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/wp-login.php |
Common Gateway Interface (CGI) is a standard method used to generate dynamic content on Web pages and Web applications. CGI, when implemented on a Web server, provides an interface between the Web server and programs that generate the Web content.
Definition of wikipedia.
Because we have deleted this alias, these attacks are useless and leave traces in the log file.
Code : Plain Text
|
1
|
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /var/www/cgi-bin |
And many others :
Code : Plain Text
|
1
2
3
4
5
|
[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /ftpmanager[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /ftpmanager[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /xmlrpc.php[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: .../trackback[Day name Month Day xx:xx:xx Year] [error] [client xx.xx.xx.xx] File does not exist: /www.domaine.com.sql |
For “Logwatch” users, you will see lines like these in the reports that you receive by mail :
Code : Plain Text
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
--------------------- httpd Begin ------------------------A total of xx sites probed the server xx.xx.xx.xx xx.xx.xx.xx Requests with error response codes 400 Bad Request /a-bad-request.html: x Time(s) 401 Unauthorized /a-restricted-page.php: x Time(s) 404 Not Found /a-not-found-page.html: x Time(s) 405 Method Not Allowed /a-not-allowed-method.jpg: x Time(s) 408 Request Timeout null: x Time(s) 500 Internal Server Error /: 1 Time(s) 501 Not Implemented /: x Time(s)---------------------- httpd End ------------------------- |
With this information, you will easily detect the attacks mentioned above (with the number of tests: x Time (s)). However, you don’t have its IP address to block it. To find his or her IP address, refer to the section above.
In addition, the report will show the list of IP addresses that are connected at least once to your server (by default : for the previous day). If you see multiple IP addresses that has the same beginning (eg xx.xx.xx.10, xx.xx.xx.11, xx.xx.xx.12, …), it is a Crawler (or Bot) or a hacker using multiple IP addresses of the same network.
Pour le savoir, cherchez l’adresse IP (ou le début de cette adresse IP) dans le fichier “/var/log/apache2/access.log”.
Attention : Ne bloquez pas les robots de Google, Bing, Yahoo, Msn, … sinon votre site disparaitra des moteurs de recherche. Étant donné que les robots de Google et autres n’auront plus accès à votre serveur, ils considéreront que le site web n’existe plus. Si vous utilisez les outils “Google Webmasters“, “Bing – Webmaster Tools“, … vous recevrez peut-être une alerte de leur part. (c’est le cas pour Google Webmasters).
To determine if it is a crawler or a pirate, find the IP address (or the beginning of the IP address) in the “/var/log/apache2/access.log” file.
Warning : Don’t block Google, Bing, Yahoo, Msn, … bots, otherwise your website will disappear from search engines. Because Google bots and others no longer have access to your server, they will consider that the website no longer exists. If you use “Google Webmasters”, ” Bing – Webmaster Tools “, … tools, you may receive a warning from them. (this is the case for Google Webmasters).
Code : Bash
|
1
|
grep "xx.xx.xx.xx" /var/log/apache2/access.log |
Finally, block the hacker by typing this command :
Code : Bash
|
1
|
iptables -I INPUT -s xx.xx.xx.xx -j DROP |
5.3. DDOS attacks
If a hacker launches a DDOS attack against your server, there are three possible solutions to protect yourself :
– Use a Nginx server in Reverse Proxy. In this case : Nginx is accessible from the Internet but your standard server is accessible only by the Nginx server. Thus, it is possible to block or mitigate the effects of a DDOS attacks launched against your server. If the DDOS attack is too great, this solution will not suffice.
– Use a hardware router (like a Cisco router) to be able to block DDOS attack. This is a solution used by web hosts or companies like Google, Facebook, …
– Mitigate the DDoS attack by redirecting the flow in different networks with very high bandwidth to detect which queries are legitimate and which ones are not. Then, hackers are blocked, and the real visitors can re-access the server without this transparent redirection. Example of anti-OVH DDOS protection :What is anti-DDoS protection ?
6. Block an attack on the FTP protocol – ProFTPD
To retrieve the IP addresses of hackers, just check the “/var/log/proftpd/proftpd.log” file.
Either, the hacker tries to find the password of an existing account. In this case, looking for the “Incorrect password” pattern.
Code : Bash
|
1
|
grep "Incorrect password" /var/log/proftpd/proftpd.log |
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker.
Code : Plain Text
|
1
|
Month Day xx:xx:xx vpsxxxxxx.webhost.com proftpd[8516] your-domain.com (reverse-dns[xx.xx.xx.xx]): USER existing-account (Login failed): Incorrect password. |
Either, the hacker tries to find the password of an account that doesn’t exist. In this case, looking for the “No such user found” pattern.
Code : Bash
|
1
|
grep "no such user found" /var/log/proftpd/proftpd.log |
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker. yy.yy.yy.yy is the IP address of your server.
Code : Plain Text
|
1
|
Month Day xx:xx:xx vpsxxxxxx.webhost.com proftpd[8426] your-domain.com (reverse-dns[xx.xx.xx.xx]): USER nonexistent-account: no such user found from reverse-dns [xx.xx.xx.xx] to ::ffff:yy.yy.yy.yy |
Either, the hacker tries to log in as root. In this case, looking for the “Attempted root login” pattern.
Code : Bash
|
1
|
grep "root login attempted" /var/log/proftpd/proftpd.log |
It will display something similar to this :
Note : xx.xx.xx.xx is the IP address of the hacker.
Code : Plain Text
|
1
|
Month Day xx:xx:xx vpsxxxxxx.webhost.com proftpd[8477] your-domain.com (reverse-dns[xx.xx.xx.xx]): SECURITY VIOLATION: root login attempted. |
Finally, block the hacker by typing this command :
Code : Bash
|
1
|
iptables -I INPUT -s xx.xx.xx.xx -j DROP |
7. Block DDoS attack with No More DDOS
To install “No More DDOS”, refer to our tutorial : Debian / Ubuntu / CentOs – Block DDOS attacks with No More DDOS (formerly : DDoS Deflate)