Nginx securiy problem
Posted by egerci
|
Nginx securiy problem December 03, 2009 04:22AM | Registered: 9 months ago Posts: 7 |
Hello,
I am using nginx for one year.
Server info :
2 x 8 core - 16GB (one for web server and other for mysql)
OS : linux RH 5
Nginx version : 0.8.x
web application : vbulletin 3.8.4 PL1
I have experienced some security issues in last month. My server was under attack with 300Mbit. I don't know what is type of attack. But when I ask my service provider to add my server behind cisco guard, firewall could handle yhese attacks.
By the way my server located in softlayer. So, they give this firewall only limited time (only 24 hours) adn thenyou have to ask again to add server behind firewall...
At these day, somebody (one of my forum member) add some files to my server as attachment. I saw that this files contain virusus. I think these files botnet clients. I deleted this forum messages and attachment. (I think some of my other members download this files. :( )
But at that time my server is up with the help of cisco firewall.
And I began to receive HACKING / MALICIOUS ACTIVITY complaint mails from diffirent locations and they claim that my IP address is attack their server.
below are some log lines that they sent :
Like this tens of mail sent to me and softlayer abuse department.
And softlayer ask me to stop this activity or stop my server.
And I check my server with know security, system auditing tool and rootkit scanners. Rootkit Hunter, lynsis and chkrootkit.
nothing found.
Also third party management company audit my server and give me a report that my server is clean and make hardening on myserver. But they advise me switch back to apache (because they no experience with nginx)
After that I receive complaint mails again.
So, 3 days ago made a os reload, setup a clean system and I switched back to apache and complaint mails stop for 3 days.
But Apache couldn't handle request. my server load is very high over 100, sometimes over 300..
I lose my google indexes also my members complaint about unreachable site.
I want to switch back to nginx. But Softlayer warn me about if they receive this kind od abuse mails cut my server activities.
Have you ever been experiencing this kinf of situation ? What do you advise me ? (sorry for my english)
Best regards
I am using nginx for one year.
Server info :
2 x 8 core - 16GB (one for web server and other for mysql)
OS : linux RH 5
Nginx version : 0.8.x
web application : vbulletin 3.8.4 PL1
I have experienced some security issues in last month. My server was under attack with 300Mbit. I don't know what is type of attack. But when I ask my service provider to add my server behind cisco guard, firewall could handle yhese attacks.
By the way my server located in softlayer. So, they give this firewall only limited time (only 24 hours) adn thenyou have to ask again to add server behind firewall...
At these day, somebody (one of my forum member) add some files to my server as attachment. I saw that this files contain virusus. I think these files botnet clients. I deleted this forum messages and attachment. (I think some of my other members download this files. :( )
But at that time my server is up with the help of cisco firewall.
And I began to receive HACKING / MALICIOUS ACTIVITY complaint mails from diffirent locations and they claim that my IP address is attack their server.
below are some log lines that they sent :
#Nov 3 02:00:24 2009 .. Nov 3 02:33:14 2009 # Scan from xxx.xxx.xxx.xxx affecting at least # 65 addresses targeting TCP:1024, TCP:3072. # #Nov 3 01:00:50 2009 .. Nov 3 01:59:00 2009 # Scan from xxx.xxx.xxx.xxx affecting at least # 104 addresses targeting TCP:1024, TCP:3072. # #Nov 3 00:23:25 2009 .. Nov 3 00:59:55 2009 # Scan from xxx.xxx.xxx.xxx affecting at least # 100 addresses targeting TCP:1024, TCP:3072. # #Nov 2 23:00:15 2009 .. Nov 2 23:59:58 2009 # Scan from xxx.xxx.xxx.xxx affecting at least # 54 addresses targeting TCP:1024, TCP:3072. UIDL Date Source Destination Port Protocole Nombre ASN Pays 4aefcca000000000 2009-11-02 22:52:03 xxx.xxx.xxx.xxx u-bordeaux.fr 3072 tcp 31 11897 4aefcca000000000 2009-11-02 22:40:53 xxx.xxx.xxx.xxx u-bordeaux.fr 1024 tcp 31 11897 4aef69ee00000000 2009-11-02 22:29:11 xxx.xxx.xxx.xxx lmd.ens.fr 3072 tcp 8 11897 4aefcca000000000 2009-11-02 22:52:03 xxx.xxx.xxx.xxx u-bordeaux.fr 3072 tcp 31 11897 4aefcca000000000 2009-11-02 22:40:53 xxx.xxx.xxx.xxx u-bordeaux.fr 1024 tcp 31 11897 4aef69ee00000000 2009-11-02 22:29:11 xxx.xxx.xxx.xxx lmd.ens.fr 3072 tcp 8 11897 #Nov 20 06:00:59 2009 .. Nov 20 06:59:51 2009 # Scan from xxx.xxx.xxx.xxx affecting at least # 58 addresses targeting TCP:1025, TCP:1057, TCP:1537, TCP:1569, TCP:16897, TCP:16929, TCP:17409, TCP:17441, TCP:17921, TCP:17953, TCP:18433, TCP:18465, TCP:18945, TCP:18977, TCP:19457, TCP:19489, TCP:19969, TCP:2049, TCP:2081, TCP:2561, TCP:2593, TCP:3073, TCP:3105, TCP:33, TCP:513, TCP:545. # #Nov 20 13:47:47 2009 .. Nov 20 13:59:51 2009 # Scan from xxx.xxx.xxx.xxx affecting at least # 149 addresses targeting TCP:1, TCP:1025, TCP:1057, TCP:1537, TCP:1569, TCP:16385, TCP:16417, TCP:16897, TCP:16929, TCP:17409, TCP:17921, TCP:17953, TCP:18433, TCP:18465, TCP:18945, TCP:18977, TCP:19457, TCP:19489, TCP:19969, TCP:20001, TCP:2049, TCP:2081, TCP:2561, TCP:3073, TCP:3105, TCP:33, TCP:3585, TCP:3617, TCP:513, TCP:545. # Event Date Time, Destination IP, IP Protocol, Target Port, Issue Description, Source Port, Event Count EventRecord: 20 Nov 2009 11:12:36, 67.34.x.x, 6, 16385, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:12:22, 156.99.x.x, 6, 2561, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:09:26, 64.128.x.x, 6, 3617, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:08:47, 83.170.x.x, 6, 16929, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:07:47, 24.220.x.x, 6, 20001, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:07:40, 173.15.x.x, 6, 19969, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:07:40, 173.15.x.x, 6, 19969, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:06:38, 156.99.x.x, 6, 3585, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:06:12, 194.85.x.x, 6, 20001, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:05:43, 194.85.x.x, 6, 16417, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:05:36, 156.99.x.x, 6, 3617, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:05:20, 64.128.x.x, 6, 19969, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:03:37, 84.12.x.x, 6, 3105, Research Pending , 80, 1 EventRecord: 20 Nov 2009 11:02:34, 84.12.x.x, 6, 16897, Research Pending , 80, 1 33:42.1 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.68, 1537, sbg.fmew.com - 47:31.9 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.71, 2561, mac.fmew.com - 49:40.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.5, 1, fmewservices.fmew.com - 51:56.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.27, 2593 - 53:23.7 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.37, 18433, jma.fmew.com - 54:37.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.42, 17953, mjt.fmew.com - 55:41.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.46, 16385, emp.fmew.com - 56:51.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.86, 16417 - 57:59.0 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.94, 18977 - 59:21.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.21, 1057 - 03:50.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.104, 2049 - 04:56.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.36, 1057 - 06:13.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.79, 16897 - 07:19.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.33, 1025 - 10:27.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.116, 3585 - 11:34.2 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.126, 17953 - 12:34.7 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.16, 16929 - 13:50.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.99, 19457 - 14:57.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.110, 545 - 16:15.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.13, 20001 - 17:17.1 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.27, 18465 - 20:41.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.77, 17409 - 21:52.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.81, 17953 - 24:24.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.92, 17441 - 29:41.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.44, 20001 - The following is a list of types of activity that may appear in this report: BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE DAMEWARE DEFACEMENT DIPNET DNSBOTS MALWAREURL MYDOOM NACHI PHATBOT PHISHING ROUTERS SCAN445 SCANNERS SINIT SLAMMER SPAM SPYBOT TOXBOT etc. ....
Like this tens of mail sent to me and softlayer abuse department.
And softlayer ask me to stop this activity or stop my server.
And I check my server with know security, system auditing tool and rootkit scanners. Rootkit Hunter, lynsis and chkrootkit.
nothing found.
Also third party management company audit my server and give me a report that my server is clean and make hardening on myserver. But they advise me switch back to apache (because they no experience with nginx)
After that I receive complaint mails again.
So, 3 days ago made a os reload, setup a clean system and I switched back to apache and complaint mails stop for 3 days.
But Apache couldn't handle request. my server load is very high over 100, sometimes over 300..
I lose my google indexes also my members complaint about unreachable site.
I want to switch back to nginx. But Softlayer warn me about if they receive this kind od abuse mails cut my server activities.
Have you ever been experiencing this kinf of situation ? What do you advise me ? (sorry for my english)
Best regards
Sergej Kandyla
Re: Nginx securiy problem December 03, 2009 05:46AM |
egerci пишет:
> So, 3 days ago made a os reload, setup a clean system and I switched back to apache and complaint mails stop for 3 days.
>
> But Apache couldn't handle request. my server load is very high over 100, sometimes over 300..
> I lose my google indexes also my members complaint about unreachable site.
>
> I want to switch back to nginx. But Softlayer warn me about if they receive this kind od abuse mails cut my server activities.
>
> Have you ever been experiencing this kinf of situation ? What do you advise me ? (sorry for my english)
>
It's not the nginx's problem.
Do you have php security settings
like disable_functions, allow_url_fopen, open_basedir ?
Do you have the firewall on your server?
Do you use selinux ?
Also nginx + apache + mod_php + mod_security is enough good schema.
Nginx is just fast and simple web server, created with security in mind.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
> So, 3 days ago made a os reload, setup a clean system and I switched back to apache and complaint mails stop for 3 days.
>
> But Apache couldn't handle request. my server load is very high over 100, sometimes over 300..
> I lose my google indexes also my members complaint about unreachable site.
>
> I want to switch back to nginx. But Softlayer warn me about if they receive this kind od abuse mails cut my server activities.
>
> Have you ever been experiencing this kinf of situation ? What do you advise me ? (sorry for my english)
>
It's not the nginx's problem.
Do you have php security settings
like disable_functions, allow_url_fopen, open_basedir ?
Do you have the firewall on your server?
Do you use selinux ?
Also nginx + apache + mod_php + mod_security is enough good schema.
Nginx is just fast and simple web server, created with security in mind.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
|
Re: Nginx securiy problem December 03, 2009 07:41AM | Registered: 9 months ago Posts: 7 |
Sergej Kandyla Wrote:
-------------------------------------------------------
>
> It's not the nginx's problem.
> Do you have php security settings
> like disable_functions, allow_url_fopen,
> open_basedir ?
> Do you have the firewall on your server?
> Do you use selinux ?
> Also nginx + apache + mod_php + mod_security is
> enough good schema.
>
> Nginx is just fast and simple web server, created
> with security in mind.
A server management company hardening php and system files.
Yes as I told before my server was behind cisco guard firewall and I use CSF firewall
No I use redhat linux 5
I disabled apache completely and for php I use php-fpm
-------------------------------------------------------
>
> It's not the nginx's problem.
> Do you have php security settings
> like disable_functions, allow_url_fopen,
> open_basedir ?
> Do you have the firewall on your server?
> Do you use selinux ?
> Also nginx + apache + mod_php + mod_security is
> enough good schema.
>
> Nginx is just fast and simple web server, created
> with security in mind.
A server management company hardening php and system files.
Yes as I told before my server was behind cisco guard firewall and I use CSF firewall
No I use redhat linux 5
I disabled apache completely and for php I use php-fpm
Piotr Sikora
Re: Nginx securiy problem December 03, 2009 09:08AM |
> A server management company hardening php and system files.
_After_ your server was already compromised.
Like Sergej said, this isn't really nginx's issue.
Best regards,
Piotr Sikora < piotr.sikora@frickle.com >
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
_After_ your server was already compromised.
Like Sergej said, this isn't really nginx's issue.
Best regards,
Piotr Sikora < piotr.sikora@frickle.com >
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
|
Re: Nginx securiy problem December 03, 2009 12:31PM | Registered: 9 months ago Posts: 7 |
|
Re: Nginx securiy problem December 03, 2009 01:02PM | Registered: 1 year ago Posts: 183 |
On Thu, 2009-12-03 at 12:31 -0500, egerci wrote:
> yes
> Because of this I switched back to apache.
> Now I am unhappy with apache because it can't handle requests.
So you now have the same security issues *and* poor performance. Is it
your hope to get hacked slower?
Cliff
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
> yes
> Because of this I switched back to apache.
> Now I am unhappy with apache because it can't handle requests.
So you now have the same security issues *and* poor performance. Is it
your hope to get hacked slower?
Cliff
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
|
Re: Nginx securiy problem December 03, 2009 01:22PM | Registered: 9 months ago Posts: 7 |
|
Re: Nginx securiy problem December 03, 2009 02:04PM | Registered: 1 year ago Posts: 183 |
On Thu, 2009-12-03 at 13:22 -0500, egerci wrote:
> :))))
> No , after switched back to apache I don't receive any complaint
Actually my belief is after you *reinstalled the server* you didn't
receive any complaints. That is, you removed whatever malware was
installed, but because you also switched to Apache at the same time, you
conflated the two variables. Reinstallation of the OS is almost
certainly what fixed your issue, not Apache.
Most likely your security concerns lie within whatever web application
you are serving.
Regards,
Cliff
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
> :))))
> No , after switched back to apache I don't receive any complaint
Actually my belief is after you *reinstalled the server* you didn't
receive any complaints. That is, you removed whatever malware was
installed, but because you also switched to Apache at the same time, you
conflated the two variables. Reinstallation of the OS is almost
certainly what fixed your issue, not Apache.
Most likely your security concerns lie within whatever web application
you are serving.
Regards,
Cliff
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
|
Re: Nginx securiy problem December 03, 2009 02:06PM | Registered: 1 year ago Posts: 19 |
|
Re: Nginx securiy problem December 03, 2009 02:55PM | Registered: 9 months ago Posts: 7 |
|
Re: Nginx securiy problem December 03, 2009 03:42PM | Registered: 1 year ago Posts: 737 |
Using apache for anything if you don't need to if nginx will do it for
you is a waste of resources and complicates your setup.
I only use apache for mod_dav_svn, and cgi. Of which I am trying to
minimize that impact by getting mailman ported to php :)
Sent from my iPhone
On Dec 3, 2009, at 11:55 AM, "egerci" <nginx-forum@nginx.us> wrote:
> I use vbulletin.
> You are right, may be one of the addon of vbulletin has a security
> hole etc.
>
> Now, I have installed nginx again and I use apache for dynamic
> pages. and wait a lot..
>
> Thanks very much your responses.
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,27636,27808#msg-27808
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
you is a waste of resources and complicates your setup.
I only use apache for mod_dav_svn, and cgi. Of which I am trying to
minimize that impact by getting mailman ported to php :)
Sent from my iPhone
On Dec 3, 2009, at 11:55 AM, "egerci" <nginx-forum@nginx.us> wrote:
> I use vbulletin.
> You are right, may be one of the addon of vbulletin has a security
> hole etc.
>
> Now, I have installed nginx again and I use apache for dynamic
> pages. and wait a lot..
>
> Thanks very much your responses.
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,27636,27808#msg-27808
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Igor Sysoev
Re: Nginx securiy problem December 03, 2009 04:16PM |
On Thu, Dec 03, 2009 at 12:37:17PM -0800, Michael Shadle wrote:
> Using apache for anything if you don't need to if nginx will do it for
> you is a waste of resources and complicates your setup.
>
> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
> minimize that impact by getting mailman ported to php :)
CGI at http://nginx.org/mailman/ is run by mini_httpd.
--
Igor Sysoev
http://sysoev.ru/en/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
> Using apache for anything if you don't need to if nginx will do it for
> you is a waste of resources and complicates your setup.
>
> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
> minimize that impact by getting mailman ported to php :)
CGI at http://nginx.org/mailman/ is run by mini_httpd.
--
Igor Sysoev
http://sysoev.ru/en/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
|
Re: Nginx securiy problem December 03, 2009 05:06PM | Registered: 1 year ago Posts: 737 |
Yah. I tried thttpd but it crashed on me randomly. Apache is stable.
Works good enough. And the machines I use it on have more than enough
resources.
It'd be nice if nginx could do cgi :p I have to support mailman and
bugzilla. Both seem archaic. One reason I am actually starting a php
mailman replacement since there are literally only 3-4 mail list
managers out there. None are simple to use or configure either. If
anyone wants to help contribute to this effort... Email me off list.
I'm hiring a coder to do it for me. Then I will open source it like
wordpress and such.
Sent from my iPhone
On Dec 3, 2009, at 1:11 PM, Igor Sysoev <igor@sysoev.ru> wrote:
> On Thu, Dec 03, 2009 at 12:37:17PM -0800, Michael Shadle wrote:
>
>> Using apache for anything if you don't need to if nginx will do it
>> for
>> you is a waste of resources and complicates your setup.
>>
>> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
>> minimize that impact by getting mailman ported to php :)
>
> CGI at http://nginx.org/mailman/ is run by mini_httpd.
>
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Works good enough. And the machines I use it on have more than enough
resources.
It'd be nice if nginx could do cgi :p I have to support mailman and
bugzilla. Both seem archaic. One reason I am actually starting a php
mailman replacement since there are literally only 3-4 mail list
managers out there. None are simple to use or configure either. If
anyone wants to help contribute to this effort... Email me off list.
I'm hiring a coder to do it for me. Then I will open source it like
wordpress and such.
Sent from my iPhone
On Dec 3, 2009, at 1:11 PM, Igor Sysoev <igor@sysoev.ru> wrote:
> On Thu, Dec 03, 2009 at 12:37:17PM -0800, Michael Shadle wrote:
>
>> Using apache for anything if you don't need to if nginx will do it
>> for
>> you is a waste of resources and complicates your setup.
>>
>> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
>> minimize that impact by getting mailman ported to php :)
>
> CGI at http://nginx.org/mailman/ is run by mini_httpd.
>
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Steve
Re: Nginx securiy problem December 03, 2009 06:08PM |
-------- Original-Nachricht --------
> Datum: Thu, 3 Dec 2009 12:37:17 -0800
> Von: Michael Shadle <mike503@gmail.com>
> An: "nginx@nginx.org" <nginx@nginx.org>
> CC: "nginx@sysoev.ru" <nginx@sysoev.ru>
> Betreff: Re: Nginx securiy problem
> Using apache for anything if you don't need to if nginx will do it for
> you is a waste of resources and complicates your setup.
>
> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
> minimize that impact by getting mailman ported to php :)
>
What? Because of mailman you run Apache? Well... I do run mailman 2.1.12 here on top of nginx 0.8.29 without any issues. No Apache involved in any way. I don't see any reason to use Apache for mailman.
> Sent from my iPhone
>
> On Dec 3, 2009, at 11:55 AM, "egerci" <nginx-forum@nginx.us> wrote:
>
> > I use vbulletin.
> > You are right, may be one of the addon of vbulletin has a security
> > hole etc.
> >
> > Now, I have installed nginx again and I use apache for dynamic
> > pages. and wait a lot..
> >
> > Thanks very much your responses.
> >
> > Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,27636,27808#msg-27808
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
--
Sarah Kreuz, die DSDS-Siegerin der Herzen, mit ihrem eindrucksvollen
Debütalbum "One Moment in Time". http://portal.gmx.net/de/go/musik
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
> Datum: Thu, 3 Dec 2009 12:37:17 -0800
> Von: Michael Shadle <mike503@gmail.com>
> An: "nginx@nginx.org" <nginx@nginx.org>
> CC: "nginx@sysoev.ru" <nginx@sysoev.ru>
> Betreff: Re: Nginx securiy problem
> Using apache for anything if you don't need to if nginx will do it for
> you is a waste of resources and complicates your setup.
>
> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
> minimize that impact by getting mailman ported to php :)
>
What? Because of mailman you run Apache? Well... I do run mailman 2.1.12 here on top of nginx 0.8.29 without any issues. No Apache involved in any way. I don't see any reason to use Apache for mailman.
> Sent from my iPhone
>
> On Dec 3, 2009, at 11:55 AM, "egerci" <nginx-forum@nginx.us> wrote:
>
> > I use vbulletin.
> > You are right, may be one of the addon of vbulletin has a security
> > hole etc.
> >
> > Now, I have installed nginx again and I use apache for dynamic
> > pages. and wait a lot..
> >
> > Thanks very much your responses.
> >
> > Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,27636,27808#msg-27808
> >
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
--
Sarah Kreuz, die DSDS-Siegerin der Herzen, mit ihrem eindrucksvollen
Debütalbum "One Moment in Time". http://portal.gmx.net/de/go/musik
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Steve
Re: Nginx securiy problem December 03, 2009 07:14PM |
-------- Original-Nachricht --------
> Datum: Thu, 3 Dec 2009 04:22:22 -0500
> Von: "egerci" <nginx-forum@nginx.us>
> An: nginx@sysoev.ru
> Betreff: Nginx securiy problem
> Hello,
>
> I am using nginx for one year.
>
> Server info :
> 2 x 8 core - 16GB (one for web server and other for mysql)
> OS : linux RH 5
> Nginx version : 0.8.x
> web application : vbulletin 3.8.4 PL1
>
> I have experienced some security issues in last month. My server was under
> attack with 300Mbit. I don't know what is type of attack. But when I ask
> my service provider to add my server behind cisco guard, firewall could
> handle yhese attacks.
>
> By the way my server located in softlayer. So, they give this firewall
> only limited time (only 24 hours) adn thenyou have to ask again to add server
> behind firewall...
>
> At these day, somebody (one of my forum member) add some files to my
> server as attachment. I saw that this files contain virusus. I think these
> files botnet clients. I deleted this forum messages and attachment. (I think
> some of my other members download this files. :( )
>
> But at that time my server is up with the help of cisco firewall.
> And I began to receive HACKING / MALICIOUS ACTIVITY complaint mails from
> diffirent locations and they claim that my IP address is attack their
> server.
>
> below are some log lines that they sent :
>
>
> #Nov 3 02:00:24 2009 .. Nov 3 02:33:14 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 65 addresses targeting TCP:1024, TCP:3072.
> #
>
> #Nov 3 01:00:50 2009 .. Nov 3 01:59:00 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 104 addresses targeting TCP:1024, TCP:3072.
> #
>
> #Nov 3 00:23:25 2009 .. Nov 3 00:59:55 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 100 addresses targeting TCP:1024, TCP:3072.
> #
>
>
> #Nov 2 23:00:15 2009 .. Nov 2 23:59:58 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 54 addresses targeting TCP:1024, TCP:3072.
>
>
> UIDL Date Source Destination Port Protocole Nombre ASN Pays
> 4aefcca000000000 2009-11-02 22:52:03 xxx.xxx.xxx.xxx u-bordeaux.fr 3072
> tcp 31 11897
> 4aefcca000000000 2009-11-02 22:40:53 xxx.xxx.xxx.xxx u-bordeaux.fr 1024
> tcp 31 11897
> 4aef69ee00000000 2009-11-02 22:29:11 xxx.xxx.xxx.xxx lmd.ens.fr 3072 tcp 8
> 11897
> 4aefcca000000000 2009-11-02 22:52:03 xxx.xxx.xxx.xxx u-bordeaux.fr 3072
> tcp 31 11897
> 4aefcca000000000 2009-11-02 22:40:53 xxx.xxx.xxx.xxx u-bordeaux.fr 1024
> tcp 31 11897
> 4aef69ee00000000 2009-11-02 22:29:11 xxx.xxx.xxx.xxx lmd.ens.fr 3072 tcp 8
> 11897
>
> #Nov 20 06:00:59 2009 .. Nov 20 06:59:51 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 58 addresses targeting TCP:1025, TCP:1057, TCP:1537, TCP:1569,
> TCP:16897, TCP:16929, TCP:17409, TCP:17441, TCP:17921, TCP:17953, TCP:18433,
> TCP:18465, TCP:18945, TCP:18977, TCP:19457, TCP:19489, TCP:19969, TCP:2049,
> TCP:2081, TCP:2561, TCP:2593, TCP:3073, TCP:3105, TCP:33, TCP:513, TCP:545.
> #
>
> #Nov 20 13:47:47 2009 .. Nov 20 13:59:51 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 149 addresses targeting TCP:1, TCP:1025, TCP:1057, TCP:1537, TCP:1569,
> TCP:16385, TCP:16417, TCP:16897, TCP:16929, TCP:17409, TCP:17921, TCP:17953,
> TCP:18433, TCP:18465, TCP:18945, TCP:18977, TCP:19457, TCP:19489,
> TCP:19969, TCP:20001, TCP:2049, TCP:2081, TCP:2561, TCP:3073, TCP:3105, TCP:33,
> TCP:3585, TCP:3617, TCP:513, TCP:545.
> #
>
> Event Date Time, Destination IP, IP Protocol, Target Port, Issue
> Description, Source Port, Event Count
> EventRecord: 20 Nov 2009 11:12:36, 67.34.x.x, 6, 16385, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:12:22, 156.99.x.x, 6, 2561, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:09:26, 64.128.x.x, 6, 3617, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:08:47, 83.170.x.x, 6, 16929, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:07:47, 24.220.x.x, 6, 20001, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:07:40, 173.15.x.x, 6, 19969, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:07:40, 173.15.x.x, 6, 19969, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:06:38, 156.99.x.x, 6, 3585, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:06:12, 194.85.x.x, 6, 20001, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:05:43, 194.85.x.x, 6, 16417, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:05:36, 156.99.x.x, 6, 3617, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:05:20, 64.128.x.x, 6, 19969, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:03:37, 84.12.x.x, 6, 3105, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:02:34, 84.12.x.x, 6, 16897, Research Pending ,
> 80, 1
>
>
> 33:42.1 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.68,
> 1537, sbg.fmew.com -
> 47:31.9 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.71,
> 2561, mac.fmew.com -
> 49:40.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.5, 1,
> fmewservices.fmew.com -
> 51:56.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.27,
> 2593 -
> 53:23.7 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.37,
> 18433, jma.fmew.com -
> 54:37.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.42,
> 17953, mjt.fmew.com -
> 55:41.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.46,
> 16385, emp.fmew.com -
> 56:51.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.86,
> 16417 -
> 57:59.0 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.94,
> 18977 -
> 59:21.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.21,
> 1057 -
> 03:50.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.104,
> 2049 -
> 04:56.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.36,
> 1057 -
> 06:13.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.79,
> 16897 -
> 07:19.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.33,
> 1025 -
> 10:27.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.116,
> 3585 -
> 11:34.2 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.126,
> 17953 -
> 12:34.7 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.16,
> 16929 -
> 13:50.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.99,
> 19457 -
> 14:57.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.110,
> 545 -
> 16:15.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.13,
> 20001 -
> 17:17.1 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.27,
> 18465 -
> 20:41.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.77,
> 17409 -
> 21:52.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.81,
> 17953 -
> 24:24.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.92,
> 17441 -
> 29:41.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.44,
> 20001 -
>
>
> The following is a list of types of activity that may appear in this
> report:
> BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE
> DAMEWARE DEFACEMENT DIPNET DNSBOTS MALWAREURL MYDOOM
> NACHI PHATBOT PHISHING ROUTERS SCAN445 SCANNERS
> SINIT SLAMMER SPAM SPYBOT TOXBOT
>
> etc. ....
>
>
> Like this tens of mail sent to me and softlayer abuse department.
>
> And softlayer ask me to stop this activity or stop my server.
> And I check my server with know security, system auditing tool and rootkit
> scanners. Rootkit Hunter, lynsis and chkrootkit.
>
> nothing found.
>
> Also third party management company audit my server and give me a report
> that my server is clean and make hardening on myserver. But they advise me
> switch back to apache (because they no experience with nginx)
>
> After that I receive complaint mails again.
>
> So, 3 days ago made a os reload, setup a clean system and I switched back
> to apache and complaint mails stop for 3 days.
>
> But Apache couldn't handle request. my server load is very high over 100,
> sometimes over 300..
> I lose my google indexes also my members complaint about unreachable site.
>
> I want to switch back to nginx. But Softlayer warn me about if they
> receive this kind od abuse mails cut my server activities.
>
> Have you ever been experiencing this kinf of situation ? What do you
> advise me ? (sorry for my english)
>
Fix your application (vbulletin). If you can't do that then go back to your Apache setup and use something like mod_security (http://www.modsecurity.org/) with it or any other WAF. Harden your PHP since it seems that all your attacks where introduced by something tunneled over vbulletin (which is PHP) into your system and then executed/triggered from/by within PHP. I would say that one of your users has uploaded some kind of scanning toolkit on your server and then misusing your server to scan other systems. Don't allow the user that is running PHP to execute tools that a normal PHP setup does not need. Nail down your file system (for example: mount your temporary directories with "noexec" and do the same for your upload directory, etc). Use something like SELinux / RBAC / grsecurity / etc to prevent your PHP interpreter to go wild. Add an IDS / NIDS / PIDS / etc and act as soon as possible if something strange is going on. Use something like Fail2Ban to parse logs and act on significant issues. Use something like PSAD to prevent idiots scanning your system. Use a firewall / IPtables / etc to prevent your system making strange connections to the outside world. If you are not familiar with IPtables then use something like Shorewall and install it on your system and don't just check inbound but do check outbound as well. Close every not needed port or application on your system. Double secure your logins from external (don't allow root to log into ssh, use AllowGroups/AllowUsers to limit who can log in, use unprivileged user to log into ssh and su to root, etc). If you are still staying on Apache then use something like mod_evasive to prevent one single system from outside to bring your Apache down. If you are still staying on Apache then use something recent that is not such a big security issue as the older Apache versions (look up the therm "Slowloris" if you need a good example what I mean). etc, etc, etc... Just do the normal things every good sysadmin/hoster would do. I am pretty sure that nginx is not your problem. But I understand if you say that with Apache you don't have those issues. It's normal human behavior to think in pictures (I have problems with my page. Hmmm.... I use nginx. Hmmm. Format system, install fresh OS, install Apache. Hmm... No problem so far. Okay! I got it! It's nginx.) instead of taking the time to understand what the problem is and THINK on the problem and solution. But hey! It's your install. If you think that it is nginx then it MUST be nginx. I would not be surprised if in some days you would come back here and tell us the same story has happened with Apache as HTTPD.
Oh! And one last advice: Do not trust anybody! If a security company is telling you that YOUR system is secure then fine and dandy but it's you that need to guarantee and understand the security of your system. Not any one else. You need to UNDERSTAND what is going on with your system and YOU need to KNOW that and why your system is secure. Some one telling you that is secure is not going to take away that responsibility from you. A drug dealer will always ensure that what you buy from him is 100% risk free and and and... but it's you that is going to consume that stuff and it's you that is risking to die. Not him. So don't just blindly trust. Turn on the gears in your head and THINK and ACT but don't just follow blindly. You are not a sheep!
> Best regards
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,27636,27636#msg-27636
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
--
Sarah Kreuz, die DSDS-Siegerin der Herzen, mit ihrem eindrucksvollen
Debütalbum "One Moment in Time". http://portal.gmx.net/de/go/musik
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
> Datum: Thu, 3 Dec 2009 04:22:22 -0500
> Von: "egerci" <nginx-forum@nginx.us>
> An: nginx@sysoev.ru
> Betreff: Nginx securiy problem
> Hello,
>
> I am using nginx for one year.
>
> Server info :
> 2 x 8 core - 16GB (one for web server and other for mysql)
> OS : linux RH 5
> Nginx version : 0.8.x
> web application : vbulletin 3.8.4 PL1
>
> I have experienced some security issues in last month. My server was under
> attack with 300Mbit. I don't know what is type of attack. But when I ask
> my service provider to add my server behind cisco guard, firewall could
> handle yhese attacks.
>
> By the way my server located in softlayer. So, they give this firewall
> only limited time (only 24 hours) adn thenyou have to ask again to add server
> behind firewall...
>
> At these day, somebody (one of my forum member) add some files to my
> server as attachment. I saw that this files contain virusus. I think these
> files botnet clients. I deleted this forum messages and attachment. (I think
> some of my other members download this files. :( )
>
> But at that time my server is up with the help of cisco firewall.
> And I began to receive HACKING / MALICIOUS ACTIVITY complaint mails from
> diffirent locations and they claim that my IP address is attack their
> server.
>
> below are some log lines that they sent :
>
>
> #Nov 3 02:00:24 2009 .. Nov 3 02:33:14 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 65 addresses targeting TCP:1024, TCP:3072.
> #
>
> #Nov 3 01:00:50 2009 .. Nov 3 01:59:00 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 104 addresses targeting TCP:1024, TCP:3072.
> #
>
> #Nov 3 00:23:25 2009 .. Nov 3 00:59:55 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 100 addresses targeting TCP:1024, TCP:3072.
> #
>
>
> #Nov 2 23:00:15 2009 .. Nov 2 23:59:58 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 54 addresses targeting TCP:1024, TCP:3072.
>
>
> UIDL Date Source Destination Port Protocole Nombre ASN Pays
> 4aefcca000000000 2009-11-02 22:52:03 xxx.xxx.xxx.xxx u-bordeaux.fr 3072
> tcp 31 11897
> 4aefcca000000000 2009-11-02 22:40:53 xxx.xxx.xxx.xxx u-bordeaux.fr 1024
> tcp 31 11897
> 4aef69ee00000000 2009-11-02 22:29:11 xxx.xxx.xxx.xxx lmd.ens.fr 3072 tcp 8
> 11897
> 4aefcca000000000 2009-11-02 22:52:03 xxx.xxx.xxx.xxx u-bordeaux.fr 3072
> tcp 31 11897
> 4aefcca000000000 2009-11-02 22:40:53 xxx.xxx.xxx.xxx u-bordeaux.fr 1024
> tcp 31 11897
> 4aef69ee00000000 2009-11-02 22:29:11 xxx.xxx.xxx.xxx lmd.ens.fr 3072 tcp 8
> 11897
>
> #Nov 20 06:00:59 2009 .. Nov 20 06:59:51 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 58 addresses targeting TCP:1025, TCP:1057, TCP:1537, TCP:1569,
> TCP:16897, TCP:16929, TCP:17409, TCP:17441, TCP:17921, TCP:17953, TCP:18433,
> TCP:18465, TCP:18945, TCP:18977, TCP:19457, TCP:19489, TCP:19969, TCP:2049,
> TCP:2081, TCP:2561, TCP:2593, TCP:3073, TCP:3105, TCP:33, TCP:513, TCP:545.
> #
>
> #Nov 20 13:47:47 2009 .. Nov 20 13:59:51 2009
> # Scan from xxx.xxx.xxx.xxx affecting at least
> # 149 addresses targeting TCP:1, TCP:1025, TCP:1057, TCP:1537, TCP:1569,
> TCP:16385, TCP:16417, TCP:16897, TCP:16929, TCP:17409, TCP:17921, TCP:17953,
> TCP:18433, TCP:18465, TCP:18945, TCP:18977, TCP:19457, TCP:19489,
> TCP:19969, TCP:20001, TCP:2049, TCP:2081, TCP:2561, TCP:3073, TCP:3105, TCP:33,
> TCP:3585, TCP:3617, TCP:513, TCP:545.
> #
>
> Event Date Time, Destination IP, IP Protocol, Target Port, Issue
> Description, Source Port, Event Count
> EventRecord: 20 Nov 2009 11:12:36, 67.34.x.x, 6, 16385, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:12:22, 156.99.x.x, 6, 2561, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:09:26, 64.128.x.x, 6, 3617, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:08:47, 83.170.x.x, 6, 16929, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:07:47, 24.220.x.x, 6, 20001, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:07:40, 173.15.x.x, 6, 19969, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:07:40, 173.15.x.x, 6, 19969, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:06:38, 156.99.x.x, 6, 3585, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:06:12, 194.85.x.x, 6, 20001, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:05:43, 194.85.x.x, 6, 16417, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:05:36, 156.99.x.x, 6, 3617, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:05:20, 64.128.x.x, 6, 19969, Research Pending
> , 80, 1
> EventRecord: 20 Nov 2009 11:03:37, 84.12.x.x, 6, 3105, Research Pending ,
> 80, 1
> EventRecord: 20 Nov 2009 11:02:34, 84.12.x.x, 6, 16897, Research Pending ,
> 80, 1
>
>
> 33:42.1 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.68,
> 1537, sbg.fmew.com -
> 47:31.9 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.71,
> 2561, mac.fmew.com -
> 49:40.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.5, 1,
> fmewservices.fmew.com -
> 51:56.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.27,
> 2593 -
> 53:23.7 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.37,
> 18433, jma.fmew.com -
> 54:37.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.42,
> 17953, mjt.fmew.com -
> 55:41.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.46,
> 16385, emp.fmew.com -
> 56:51.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.86,
> 16417 -
> 57:59.0 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.94,
> 18977 -
> 59:21.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.21,
> 1057 -
> 03:50.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.104,
> 2049 -
> 04:56.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.36,
> 1057 -
> 06:13.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.79,
> 16897 -
> 07:19.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.33,
> 1025 -
> 10:27.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.116,
> 3585 -
> 11:34.2 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.126,
> 17953 -
> 12:34.7 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.16,
> 16929 -
> 13:50.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.99,
> 19457 -
> 14:57.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.110,
> 545 -
> 16:15.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.13,
> 20001 -
> 17:17.1 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.27,
> 18465 -
> 20:41.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.77,
> 17409 -
> 21:52.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.81,
> 17953 -
> 24:24.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.92,
> 17441 -
> 29:41.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.44,
> 20001 -
>
>
> The following is a list of types of activity that may appear in this
> report:
> BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE
> DAMEWARE DEFACEMENT DIPNET DNSBOTS MALWAREURL MYDOOM
> NACHI PHATBOT PHISHING ROUTERS SCAN445 SCANNERS
> SINIT SLAMMER SPAM SPYBOT TOXBOT
>
> etc. ....
>
>
> Like this tens of mail sent to me and softlayer abuse department.
>
> And softlayer ask me to stop this activity or stop my server.
> And I check my server with know security, system auditing tool and rootkit
> scanners. Rootkit Hunter, lynsis and chkrootkit.
>
> nothing found.
>
> Also third party management company audit my server and give me a report
> that my server is clean and make hardening on myserver. But they advise me
> switch back to apache (because they no experience with nginx)
>
> After that I receive complaint mails again.
>
> So, 3 days ago made a os reload, setup a clean system and I switched back
> to apache and complaint mails stop for 3 days.
>
> But Apache couldn't handle request. my server load is very high over 100,
> sometimes over 300..
> I lose my google indexes also my members complaint about unreachable site.
>
> I want to switch back to nginx. But Softlayer warn me about if they
> receive this kind od abuse mails cut my server activities.
>
> Have you ever been experiencing this kinf of situation ? What do you
> advise me ? (sorry for my english)
>
Fix your application (vbulletin). If you can't do that then go back to your Apache setup and use something like mod_security (http://www.modsecurity.org/) with it or any other WAF. Harden your PHP since it seems that all your attacks where introduced by something tunneled over vbulletin (which is PHP) into your system and then executed/triggered from/by within PHP. I would say that one of your users has uploaded some kind of scanning toolkit on your server and then misusing your server to scan other systems. Don't allow the user that is running PHP to execute tools that a normal PHP setup does not need. Nail down your file system (for example: mount your temporary directories with "noexec" and do the same for your upload directory, etc). Use something like SELinux / RBAC / grsecurity / etc to prevent your PHP interpreter to go wild. Add an IDS / NIDS / PIDS / etc and act as soon as possible if something strange is going on. Use something like Fail2Ban to parse logs and act on significant issues. Use something like PSAD to prevent idiots scanning your system. Use a firewall / IPtables / etc to prevent your system making strange connections to the outside world. If you are not familiar with IPtables then use something like Shorewall and install it on your system and don't just check inbound but do check outbound as well. Close every not needed port or application on your system. Double secure your logins from external (don't allow root to log into ssh, use AllowGroups/AllowUsers to limit who can log in, use unprivileged user to log into ssh and su to root, etc). If you are still staying on Apache then use something like mod_evasive to prevent one single system from outside to bring your Apache down. If you are still staying on Apache then use something recent that is not such a big security issue as the older Apache versions (look up the therm "Slowloris" if you need a good example what I mean). etc, etc, etc... Just do the normal things every good sysadmin/hoster would do. I am pretty sure that nginx is not your problem. But I understand if you say that with Apache you don't have those issues. It's normal human behavior to think in pictures (I have problems with my page. Hmmm.... I use nginx. Hmmm. Format system, install fresh OS, install Apache. Hmm... No problem so far. Okay! I got it! It's nginx.) instead of taking the time to understand what the problem is and THINK on the problem and solution. But hey! It's your install. If you think that it is nginx then it MUST be nginx. I would not be surprised if in some days you would come back here and tell us the same story has happened with Apache as HTTPD.
Oh! And one last advice: Do not trust anybody! If a security company is telling you that YOUR system is secure then fine and dandy but it's you that need to guarantee and understand the security of your system. Not any one else. You need to UNDERSTAND what is going on with your system and YOU need to KNOW that and why your system is secure. Some one telling you that is secure is not going to take away that responsibility from you. A drug dealer will always ensure that what you buy from him is 100% risk free and and and... but it's you that is going to consume that stuff and it's you that is risking to die. Not him. So don't just blindly trust. Turn on the gears in your head and THINK and ACT but don't just follow blindly. You are not a sheep!
> Best regards
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,27636,27636#msg-27636
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
--
Sarah Kreuz, die DSDS-Siegerin der Herzen, mit ihrem eindrucksvollen
Debütalbum "One Moment in Time". http://portal.gmx.net/de/go/musik
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
|
Re: Nginx securiy problem December 03, 2009 07:26PM | Registered: 1 year ago Posts: 737 |
On Thu, Dec 3, 2009 at 3:03 PM, Steve <steeeeeveee@gmx.net> wrote:
> What? Because of mailman you run Apache? Well... I do run mailman 2.1.12 here on top of nginx 0.8.29 without any issues. No Apache involved in any way. I don't see any reason to use Apache for mailman.
yeah - CGI-based stuff i run apache behind nginx for those couple
things. i always have nginx on the frontend.
how do you run mailman directly?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
> What? Because of mailman you run Apache? Well... I do run mailman 2.1.12 here on top of nginx 0.8.29 without any issues. No Apache involved in any way. I don't see any reason to use Apache for mailman.
yeah - CGI-based stuff i run apache behind nginx for those couple
things. i always have nginx on the frontend.
how do you run mailman directly?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Steve
Re: Nginx securiy problem December 03, 2009 07:42PM |
-------- Original-Nachricht --------
> Datum: Thu, 3 Dec 2009 16:22:27 -0800
> Von: Michael Shadle <mike503@gmail.com>
> An: nginx@nginx.org
> CC: nginx@sysoev.ru
> Betreff: Re: Nginx securiy problem
> On Thu, Dec 3, 2009 at 3:03 PM, Steve <steeeeeveee@gmx.net> wrote:
>
> > What? Because of mailman you run Apache? Well... I do run mailman 2.1.12
> here on top of nginx 0.8.29 without any issues. No Apache involved in any
> way. I don't see any reason to use Apache for mailman.
>
> yeah - CGI-based stuff i run apache behind nginx for those couple
> things. i always have nginx on the frontend.
>
I only have one instance of Apache that I use and it's used for web pages that I know are not easy to handle for me (from the security viewpoint). So I run mod_security on that Apache instance and other stuff that helps me to narrow down the possible security problems. It does not prevent them but I can sleep better knowing that mod_security and other tools are doing a good job in preventing the most obvious issues.
Every where else I use nginx. Some time as stand alone and in some instances as a load balancer and and and...
> how do you run mailman directly?
>
I did not say I run it directly. I run it as a FCGI instance with the help of FcgiWrap (http://nginx.localdomain.pl/wiki/FcgiWrap). And I do the same for other CGI applications (for example the DSPAM WebUI, AWStats, for cgi-bin directory, etc).
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
--
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
> Datum: Thu, 3 Dec 2009 16:22:27 -0800
> Von: Michael Shadle <mike503@gmail.com>
> An: nginx@nginx.org
> CC: nginx@sysoev.ru
> Betreff: Re: Nginx securiy problem
> On Thu, Dec 3, 2009 at 3:03 PM, Steve <steeeeeveee@gmx.net> wrote:
>
> > What? Because of mailman you run Apache? Well... I do run mailman 2.1.12
> here on top of nginx 0.8.29 without any issues. No Apache involved in any
> way. I don't see any reason to use Apache for mailman.
>
> yeah - CGI-based stuff i run apache behind nginx for those couple
> things. i always have nginx on the frontend.
>
I only have one instance of Apache that I use and it's used for web pages that I know are not easy to handle for me (from the security viewpoint). So I run mod_security on that Apache instance and other stuff that helps me to narrow down the possible security problems. It does not prevent them but I can sleep better knowing that mod_security and other tools are doing a good job in preventing the most obvious issues.
Every where else I use nginx. Some time as stand alone and in some instances as a load balancer and and and...
> how do you run mailman directly?
>
I did not say I run it directly. I run it as a FCGI instance with the help of FcgiWrap (http://nginx.localdomain.pl/wiki/FcgiWrap). And I do the same for other CGI applications (for example the DSPAM WebUI, AWStats, for cgi-bin directory, etc).
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
--
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
|
Re: Nginx securiy problem December 04, 2009 01:00AM | Registered: 1 year ago Posts: 737 |
it's just easier to maintain status quo. more people at my work are
used to apache already. :)
On Thu, Dec 3, 2009 at 9:53 PM, Igor Sysoev <igor@sysoev.ru> wrote:
> On Thu, Dec 03, 2009 at 02:01:21PM -0800, Michael Shadle wrote:
>
>> Yah. I tried thttpd but it crashed on me randomly. Apache is stable.
>> Works good enough. And the machines I use it on have more than enough
>> resources.
>
> mini_httpd is much more simpler than thttpd: it's just a simple server
> forking for every request, i.e., exactly what is required for CGI.
>
>> It'd be nice if nginx could do cgi :p I have to support mailman and
>> bugzilla. Both seem archaic. One reason I am actually starting a php
>> mailman replacement since there are literally only 3-4 mail list
>> managers out there. None are simple to use or configure either. If
>> anyone wants to help contribute to this effort... Email me off list.
>> I'm hiring a coder to do it for me. Then I will open source it like
>> wordpress and such.
>>
>> Sent from my iPhone
>>
>> On Dec 3, 2009, at 1:11 PM, Igor Sysoev <igor@sysoev.ru> wrote:
>>
>> > On Thu, Dec 03, 2009 at 12:37:17PM -0800, Michael Shadle wrote:
>> >
>> >> Using apache for anything if you don't need to if nginx will do it
>> >> for
>> >> you is a waste of resources and complicates your setup.
>> >>
>> >> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
>> >> minimize that impact by getting mailman ported to php :)
>> >
>> > CGI at http://nginx.org/mailman/ is run by mini_httpd.
>
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
used to apache already. :)
On Thu, Dec 3, 2009 at 9:53 PM, Igor Sysoev <igor@sysoev.ru> wrote:
> On Thu, Dec 03, 2009 at 02:01:21PM -0800, Michael Shadle wrote:
>
>> Yah. I tried thttpd but it crashed on me randomly. Apache is stable.
>> Works good enough. And the machines I use it on have more than enough
>> resources.
>
> mini_httpd is much more simpler than thttpd: it's just a simple server
> forking for every request, i.e., exactly what is required for CGI.
>
>> It'd be nice if nginx could do cgi :p I have to support mailman and
>> bugzilla. Both seem archaic. One reason I am actually starting a php
>> mailman replacement since there are literally only 3-4 mail list
>> managers out there. None are simple to use or configure either. If
>> anyone wants to help contribute to this effort... Email me off list.
>> I'm hiring a coder to do it for me. Then I will open source it like
>> wordpress and such.
>>
>> Sent from my iPhone
>>
>> On Dec 3, 2009, at 1:11 PM, Igor Sysoev <igor@sysoev.ru> wrote:
>>
>> > On Thu, Dec 03, 2009 at 12:37:17PM -0800, Michael Shadle wrote:
>> >
>> >> Using apache for anything if you don't need to if nginx will do it
>> >> for
>> >> you is a waste of resources and complicates your setup.
>> >>
>> >> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
>> >> minimize that impact by getting mailman ported to php :)
>> >
>> > CGI at http://nginx.org/mailman/ is run by mini_httpd.
>
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Igor Sysoev
Re: Nginx securiy problem December 04, 2009 01:00AM |
On Thu, Dec 03, 2009 at 02:01:21PM -0800, Michael Shadle wrote:
> Yah. I tried thttpd but it crashed on me randomly. Apache is stable.
> Works good enough. And the machines I use it on have more than enough
> resources.
mini_httpd is much more simpler than thttpd: it's just a simple server
forking for every request, i.e., exactly what is required for CGI.
> It'd be nice if nginx could do cgi :p I have to support mailman and
> bugzilla. Both seem archaic. One reason I am actually starting a php
> mailman replacement since there are literally only 3-4 mail list
> managers out there. None are simple to use or configure either. If
> anyone wants to help contribute to this effort... Email me off list.
> I'm hiring a coder to do it for me. Then I will open source it like
> wordpress and such.
>
> Sent from my iPhone
>
> On Dec 3, 2009, at 1:11 PM, Igor Sysoev <igor@sysoev.ru> wrote:
>
> > On Thu, Dec 03, 2009 at 12:37:17PM -0800, Michael Shadle wrote:
> >
> >> Using apache for anything if you don't need to if nginx will do it
> >> for
> >> you is a waste of resources and complicates your setup.
> >>
> >> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
> >> minimize that impact by getting mailman ported to php :)
> >
> > CGI at http://nginx.org/mailman/ is run by mini_httpd.
--
Igor Sysoev
http://sysoev.ru/en/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
> Yah. I tried thttpd but it crashed on me randomly. Apache is stable.
> Works good enough. And the machines I use it on have more than enough
> resources.
mini_httpd is much more simpler than thttpd: it's just a simple server
forking for every request, i.e., exactly what is required for CGI.
> It'd be nice if nginx could do cgi :p I have to support mailman and
> bugzilla. Both seem archaic. One reason I am actually starting a php
> mailman replacement since there are literally only 3-4 mail list
> managers out there. None are simple to use or configure either. If
> anyone wants to help contribute to this effort... Email me off list.
> I'm hiring a coder to do it for me. Then I will open source it like
> wordpress and such.
>
> Sent from my iPhone
>
> On Dec 3, 2009, at 1:11 PM, Igor Sysoev <igor@sysoev.ru> wrote:
>
> > On Thu, Dec 03, 2009 at 12:37:17PM -0800, Michael Shadle wrote:
> >
> >> Using apache for anything if you don't need to if nginx will do it
> >> for
> >> you is a waste of resources and complicates your setup.
> >>
> >> I only use apache for mod_dav_svn, and cgi. Of which I am trying to
> >> minimize that impact by getting mailman ported to php :)
> >
> > CGI at http://nginx.org/mailman/ is run by mini_httpd.
--
Igor Sysoev
http://sysoev.ru/en/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Jean-Baptiste Quenot
Re: Nginx securiy problem December 05, 2009 05:02AM |
2009/12/3 Michael Shadle <mike503@gmail.com>:
>
> It'd be nice if nginx could do cgi :p I have to support mailman and
> bugzilla. Both seem archaic. One reason I am actually starting a php mailman
> replacement since there are literally only 3-4 mail list managers out there.
> None are simple to use or configure either. If anyone wants to help
> contribute to this effort... Email me off list. I'm hiring a coder to do it
> for me. Then I will open source it like wordpress and such.
That sounds weird to me, rewriting Mailman in PHP. Mailman is an
excellent piece of software. If you need FastCGI support for Mailman,
why not hire a developer to implement that? With the excellent python
flup library, this will not be a daunting task.
--
Jean-Baptiste Quenot
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
>
> It'd be nice if nginx could do cgi :p I have to support mailman and
> bugzilla. Both seem archaic. One reason I am actually starting a php mailman
> replacement since there are literally only 3-4 mail list managers out there.
> None are simple to use or configure either. If anyone wants to help
> contribute to this effort... Email me off list. I'm hiring a coder to do it
> for me. Then I will open source it like wordpress and such.
That sounds weird to me, rewriting Mailman in PHP. Mailman is an
excellent piece of software. If you need FastCGI support for Mailman,
why not hire a developer to implement that? With the excellent python
flup library, this will not be a daunting task.
--
Jean-Baptiste Quenot
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.
Online Users
Guests:
77
Record Number of Users:
10
on August 27, 2010
Record Number of Guests:
177
on August 21, 2010
This forum is powered by Phorum.
 |  |  |  |