[SOLVED] Webserver hammered by random external ip's

Kernels & Hardware, configuring network, installing services

[SOLVED] Webserver hammered by random external ip's

Postby xjumper84 » 2008-08-28 20:45

I've got apache2 running on my debian box and everytime i open port 8080 (what apache2 is set to listen on) my box gets hammered from over 1000 external IP addresses.

I watch the connections by
Code: Select all
tail -f /var/log/apache2/access.log
and
Code: Select all
netstat -ta


Here is what i'm getting when I do a netstat:

Code: Select all
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:nfs                   *:*                     LISTEN
tcp        0      0 *:swat                  *:*                     LISTEN
tcp        0      0 *:34310                 *:*                     LISTEN
tcp        0      0 *:mysql                 *:*                     LISTEN
tcp        0      0 *:41483                 *:*                     LISTEN
tcp        0      0 *:netbios-ssn           *:*                     LISTEN
tcp        0      0 *:sunrpc                *:*                     LISTEN
tcp        0      0 bitch.local:http-alt    61.149.211.48:4027      SYN_RECV
tcp        0      0 *:auth                  *:*                     LISTEN
tcp        0      0 *:ftp                   *:*                     LISTEN
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp        0      0 *:42936                 *:*                     LISTEN
tcp        0      0 localhost:smtp          *:*                     LISTEN
tcp        0      0 *:microsoft-ds          *:*                     LISTEN
tcp        0      0 bitch.loca:microsoft-ds titan.local:3878        ESTABLISHED
tcp        0      0 bitch.local:50439       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:50429       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:54362       207.114.197.72:www      TIME_WAIT
tcp        0      0 bitch.local:40993       brwapp10.mpire.com:www  TIME_WAIT
tcp        0      0 bitch.local:33048       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:33047       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:40997       brwapp10.mpire.com:www  TIME_WAIT
tcp        0      0 bitch.local:34875       a.tribalfusion.com:www  TIME_WAIT
tcp        0      0 bitch.local:50474       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.loca:microsoft-ds titan.local:4059        ESTABLISHED
tcp        0      0 bitch.local:38626       ad1.p3.vip.rm.sp1.y:www ESTABLISHED
tcp        0      0 bitch.local:50528       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:46403       media6.snv.vcmedia.:www TIME_WAIT
tcp        0      0 bitch.local:33048       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:33047       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:54380       207.114.197.72:www      TIME_WAIT
tcp        0      0 bitch.local:40997       brwapp10.mpire.com:www  TIME_WAIT
tcp        0      0 bitch.local:50540       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:34875       a.tribalfusion.com:www  TIME_WAIT
tcp     2896      0 bitch.local:60460       ip67-88-217-231.z21:www ESTABLISHED
tcp        0      0 bitch.local:54393       207.114.197.72:www      TIME_WAIT
tcp        0      0 bitch.local:50474       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.loca:microsoft-ds titan.local:4059        ESTABLISHED
tcp        0      0 bitch.local:54348       207.114.197.72:www      TIME_WAIT
tcp        0      0 bitch.local:41780       www.clickboothlnk.c:www TIME_WAIT
tcp        0      0 bitch.local:56484       66.179.234.169:www      TIME_WAIT
tcp        0      0 bitch.local:45742       cf-in-f147.google.c:www TIME_WAIT
tcp        0      0 bitch.local:50523       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:38576       ad1.p3.vip.rm.sp1.y:www TIME_WAIT
tcp        0      0 bitch.local:41817       rd6.apmebf.com:www      TIME_WAIT
tcp        0      0 bitch.local:50464       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:50536       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:38677       ad1.p3.vip.rm.sp1.y:www TIME_WAIT
tcp        0      0 bitch.local:46487       media6.snv.vcmedia.:www TIME_WAIT
tcp        0      0 bitch.local:38490       lax-agg-n14.panther:www TIME_WAIT
tcp        0      0 bitch.local:52755       integraclick.wip.di:www TIME_WAIT
tcp        0      0 bitch.local:50448       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:56372       207.114.197.71:www      TIME_WAIT
tcp        0      0 bitch.local:38490       lax-agg-n14.panther:www TIME_WAIT
tcp        0      0 bitch.local:52755       integraclick.wip.di:www TIME_WAIT
tcp        0      0 bitch.local:50448       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:56372       207.114.197.71:www      TIME_WAIT
tcp        0      0 bitch.local:33105       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:56427       207.114.197.94:www      TIME_WAIT
tcp        0      0 bitch.local:33025       209-250-234-186.ip.:www TIME_WAIT
tcp        0      0 bitch.local:42478       cf-in-f127.google.c:www TIME_WAIT
tcp        0      0 bitch.local:56360       207.114.197.71:www      TIME_WAIT
tcp        0      0 bitch.local:41053       brwapp10.mpire.com:www  TIME_WAIT
tcp        0      0 bitch.local:50591       64.27.17.205:www        TIME_WAIT
tcp        0      0 bitch.local:45434       74-203-60-109.stati:www TIME_WAIT
tcp6       0      0 [::]:http-alt           [::]:*                  LISTEN
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:1678 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 58.55.82.117%30867:3436 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 58.55.82.117%30867:3572 FIN_WAIT2
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:3403 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.135%308:2924 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 58.55.82.117%30867:1582 FIN_WAIT2
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:4059 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 60.215.111.31%308:59084 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 222.90.191.21%3086:4406 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:3644 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 222.90.191.21%3086:2189 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:2900 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 143.109.56.59.bro:63750 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 58.55.82.117%30867:1677 FIN_WAIT2
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.135%308:1226 TIME_WAIT
tcp6       0    584 192.168.1.103%8191:ssh  66-126-189-162.ce:10583 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 125.65.112.138%308:1147 TIME_WAIT
tcp6       0      0 192.168.1.103%:http-alt 158.111.56.59.bro:61815 ESTABLISHED
tcp6       0      0 192.168.1.103%:http-alt 143.109.56.59.bro:63073 TIME_WAIT


When i update my awstats.pl file i always get 20k lines of new records, even when i've only had the server netside for < 5 minutes.

This is what my log file is full of:

Code: Select all
68.188.181.163 - - [28/Aug/2008:13:40:00 -0700] "GET http://adserving.cpxinteractive.com/st?ad_type=pop&ad_size=0x0&section=256058&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1" 200 4225 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
68.188.181.163 - - [28/Aug/2008:13:40:00 -0700] "GET http://adserving.cpxinteractive.com/st?ad_type=pop&ad_size=0x0&section=256058&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1" 200 4224 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"
69.20.123.148 - - [28/Aug/2008:13:40:00 -0700] "GET http://ad.adserverplus.com/st?ad_type=pop&ad_size=0x0&section=289946&banned_pop_types=29&pop_times=1&pop_frequency=86400 HTTP/1.1" 200 4225 "http%3A%2F%2Fwww.vafq.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; (R1 1.5))"
70.184.245.196 - - [28/Aug/2008:13:40:00 -0700] "GET http://adserving.cpxinteractive.com/rw?title=New%20offer%21&qs=iframe3%3FoNFKABenBACKpQwA%2DDcEAAIAAAAAAP8AA%3D%2C%2Chttp%3A%2F%2Fwww%2Esecommission%2Ecom%2Findex%2Ehtml HTTP/1.1" 200 560 "http%3A%2F%2Fwww.secommission.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; TencentT"
59.56.109.143 - - [28/Aug/2008:13:40:00 -0700] "GET http://a.tribalfusion.com/jr.ad?site=educationatlas&adSpace=ros&tagKey=3973172069&size=728x90|468x60&p=15944259&a=1&flashVer=0&ver=1.14&center=1&url=http%3A%2F%2Fwww.education-atlas.org%2F&rnd=15952700 HTTP/1.0" 200 1375 "http://www.education-atlas.org/" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
59.56.111.158 - - [28/Aug/2008:13:40:00 -0700] "GET http://ad.yieldmanager.com/iframe3?q8FPALemBADvAA0A-08EAAIAAAAAAP8AAAAFDgIAAgNfDQYAbE0DAKxvBgAAAAAA//www.mobilemastee.com/ HTTP/1.0" 200 1074 "http://optimizedby.rmxads.com/st?ad_type=iframe&ad_size=300x250&section=304823" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
69.20.123.148 - - [28/Aug/2008:13:40:00 -0700] "GET http://ad.yieldmanager.com/imp?Z=0x0&y=29&s=289946&_salt=3871810475&B=2&u=http%3A%2F%2Fwww.vafq.com%2Findex.html HTTP/1.1" 200 6649 "http%3A%2F%2Fwww.vafq.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; (R1 1.5))"
::1 - - [28/Aug/2008:13:40:01 -0700] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (Debian) PHP/5.2.6-3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 (internal dummy connection)"
68.188.181.163 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.yieldmanager.com/imp?Z=0x0&y=29&s=256058&_salt=1928825373&B=2&u=http%3A%2F%2Fwww.megafast.info%2Findex.html HTTP/1.1" 200 6663 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
69.20.123.148 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.adserverplus.com/rw?title=&qs=iframe3%3Fks9PAJpsBABswwsAIDECAAIAAAAAAP8AAAAFD%3D%2C%2Chttp%3A%2F%2Fwww%2Evafq%2Ecom%2Findex%2Ehtml HTTP/1.1" 200 542 "http%3A%2F%2Fwww.vafq.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; (R1 1.5))"
68.188.181.163 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.yieldmanager.com/imp?Z=0x0&y=29&s=256058&_salt=224375794&B=2&u=http%3A%2F%2Fwww.megafast.info%2Findex.html HTTP/1.1" 200 6681 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"
221.2.225.234 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.media-servers.net/st?ad_type=ad&ad_size=120x600&section=267069 HTTP/1.0" 200 4159 "http://www.it2net.com/software/softgrp.htm" "Mozilla/4.76 (Macintosh; U; PPC)"
68.188.181.163 - - [28/Aug/2008:13:40:01 -0700] "GET http://ad.yieldmanager.com/imp?Z=0x0&y=29&s=256058&_salt=2233512953&B=2&u=http%3A%2F%2Fwww.megafast.info%2Findex.html HTTP/1.1" 200 6663 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)"
::1 - - [28/Aug/2008:13:40:02 -0700] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.9 (Debian) PHP/5.2.6-3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 (internal dummy connection)"
68.188.181.163 - - [28/Aug/2008:13:40:02 -0700] "GET http://adserving.cpxinteractive.com/rw?title=&qs=iframe3%3FahM7ADroAwAaeA8AYF8EAAIAAAAAAP8AAAAF%2E%2E%2E8fUJek5z8AgNrQpMPhP%2E%2E%2Eb23Ts%2EM%2EAAAAAAAAAAD%2E%2Ez%2EnGUX6PwAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D%2C%2Chttp%3A%2F%2Fwww%2Emegafast%2Einfo%2Findex%2Ehtml HTTP/1.1" 200 547 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.76 [en] (X11; U; SunOS 5.7 sun4u)"
68.188.181.163 - - [28/Aug/2008:13:40:03 -0700] "GET http://adserving.cpxinteractive.com/rw?title=&qs=iframe3%3FahM7ADroAwBPAgwA268DAAIAAAAAAP8AAAAA%3D%2C%2Chttp%3A%2F%2Fwww%2Emegafast%2Einfo%2Findex%2Ehtml HTTP/1.1" 200 547 "http%3A%2F%2Fwww.megafast.info%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)"


I would like to be able to deny access to nearly all everything except for a couple of known IP addresses.

I've tried setting up LIMIT directives in .htaccess but that doesn't do it. I've read the links off google that talks about mod_rewrite and i've added the generic stuff to my .htaccess files but no go.

So what are my options to limit this? Can I add information to my /etc/hosts.allow and /etc/hosts.deny to only allow certain IP's from accessing the machine and would this work? and if so how would i properly set it up?


side note: the machine is a dev box that i use for testing when i'm at home and it sits in my closet. when i am at work i like to use it for other ... "purposes".

any help is greatly appreciated.
Last edited by xjumper84 on 2008-08-29 17:19, edited 1 time in total.
xjumper84
 
Posts: 5
Joined: 2008-08-28 20:33

Postby Bulkley » 2008-08-28 22:03

What are you using for a firewall?
Bulkley
 
Posts: 3952
Joined: 2006-02-11 18:35

Postby xjumper84 » 2008-08-28 22:44

I've got my linksys router as my network firewall..


or did i make the "uber n00b" error of not having a firewall on my debian box?
xjumper84
 
Posts: 5
Joined: 2008-08-28 20:33

Postby Bulkley » 2008-08-28 23:00

I'm not the best one to answer that but since you are getting "hammered from over 1000 external IP addresses" I think you need a firewall. We all have our favourites which are all based on iptables.
Bulkley
 
Posts: 3952
Joined: 2006-02-11 18:35

Postby industrialpunk » 2008-08-28 23:28

The ones that say:
"tcp 0 0 bitch.local:52755 integraclick.wip.di:www TIME_WAIT "

Appear to be connections from your machine to the outside world. Looks like you have a browser open downloading ads.

These one should be incoming connections:
"tcp6 0 0 192.168.1.103%:http-alt %308:1678 ESTABLISHED"

I picked one of these incoming connections randomly and it is an attack site. So these are probably your average random brute force attempts to hit your webserver.
-Josh Willingham
User avatar
industrialpunk
 
Posts: 733
Joined: 2007-03-07 22:30
Location: San Diego, CA, USA

Postby xjumper84 » 2008-08-28 23:41

industrialpunk ->


The machine is solely ssh accessible.. its got a power cord and a network cable running to it so I don't know how I could have a browser running that would be requesting the ads. Almost everything, except for hellanzb, awstats, zussaweb, joomla, phpmyadmin and a media wiki install has been written by myself (as far as web related software goes), so i'm not sure how this would work.



So then here is my question: what can I do to stop these connections from happening? (i'll need some step by step guides) My bandwidth goes to shit when ports are open.. and it totally sucks..

:heart: /darn.. not a vbull site.. haha
xjumper84
 
Posts: 5
Joined: 2008-08-28 20:33

Postby Bulkley » 2008-08-29 02:13

As an experiment, try installing Firestarter.
Code: Select all
aptitude install firestarter
Firestarter is easy to set up, so you might be able to quickly see what a firewall can do.
Bulkley
 
Posts: 3952
Joined: 2006-02-11 18:35

Postby xjumper84 » 2008-08-29 15:15

firestarter won't work for me because i don't use X on the machine. Everything i do is through terminal/ssh connection... so I can't run their installation wizard.

any other options?
xjumper84
 
Posts: 5
Joined: 2008-08-28 20:33

Postby izar » 2008-08-29 15:23

I would suggest using shorewall.
User avatar
izar
 
Posts: 1712
Joined: 2007-01-01 18:34
Location: Euskal Herria

Postby xjumper84 » 2008-08-29 17:07

this is so exciting... with this firewall setup... i don't get hammered any more.. very nice!

thank you guys.. <3

my log now shows what it is supposed to and nothing extra... maybe i should ask the other debian questions i have here too... (in a new thread of course / after using search to keep repeat questions down).
xjumper84
 
Posts: 5
Joined: 2008-08-28 20:33


Return to System configuration

Who is online

Users browsing this forum: No registered users and 19 guests

fashionable