APF Can't Block Banned One Of The IP
Nov 30, 2007
Since some days I have a problem with apf: It can't BAN one of the Ip from file deny_hosts.rules. Other IP's are correctly banned. Of course in apf log are:
apf(28474): {trust} deny all to/from 88.84.141.233
but this ip still have access to my server and scan my ports. I have this problem after editing internals/rab.ports (I added some ports to RAB_PSCAN_LEVEL_2). I don't know how can I fix this problem.
Topic should have title: APF can't block one of the banned IP.
View 4 Replies
ADVERTISEMENT
Dec 15, 2007
You can see my servers information at the bottom.
If in this post there is security information I have reveiled I hope you will tell me
After a couple of hours where someone tried to login to root and Directadmin using ssh, i closed ssh and made some minor changes to the security.
I turned on the automatic add ip if login failed 3 times, in DirectAdmin.
I dont know why I was banned cause I DID NOT use wrong login???
My other users of the server also got banned, and they say they did not use wrong pass either?
SO how do I unban me so I can acces DirectAdmin again?
And as if that was not enough, because Im soooo good at this...
while I was at it I stopped SSL cause I got following error and I dont really need it, I think
-------------------------STARThttpd_error_log
[Sat Dec 15 03:38:22 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Sat Dec 15 03:58:32 2007] [notice] caught SIGTERM, shutting down
[Sat Dec 15 03:58:34 2007] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Sat Dec 15 03:58:34 2007] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Sat Dec 15 03:58:34 2007] [warn] Init: SSL server IP/port conflict: www.belove.updownloading.com:443 (/usr/local/directadmin/data/users/belove/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48)
[Sat Dec 15 03:58:34 2007] [warn] Init: SSL server IP/port conflict: www.fusion-planet.updownloading.com:443 (/usr/local/directadmin/data/users/iceangel89/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48)
[Sat Dec 15 03:58:34 2007] [warn] Init: SSL server IP/port conflict: www.nicheserver.com:443 (/usr/local/directadmin/data/users/nicsad/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48)
[Sat Dec 15 03:58:34 2007] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/httpd/conf/extra/httpd-vhosts.conf:38) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48)
[Sat Dec 15 03:58:34 2007] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
[Sat Dec 15 03:58:34 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Dec 15 03:58:34 2007] [warn] module php5_module is already loaded, skipping
[Sat Dec 15 03:58:35 2007] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Sat Dec 15 03:58:35 2007] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Sat Dec 15 03:58:35 2007] [warn] Init: SSL server IP/port conflict: www.belove.updownloading.com:443 (/usr/local/directadmin/data/users/belove/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48)
[Sat Dec 15 03:58:35 2007] [warn] Init: SSL server IP/port conflict: www.fusion-planet.updownloading.com:443 (/usr/local/directadmin/data/users/iceangel89/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48)
[Sat Dec 15 03:58:35 2007] [warn] Init: SSL server IP/port conflict: www.nicheserver.com:443 (/usr/local/directadmin/data/users/nicsad/httpd.conf:48) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48)
[Sat Dec 15 03:58:35 2007] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/httpd/conf/extra/httpd-vhosts.conf:38) vs. www.tokyolondon.net:443 (/usr/local/directadmin/data/users/tokyo/httpd.conf:48)
[Sat Dec 15 03:58:35 2007] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
[Sat Dec 15 03:58:35 2007] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8b DAV/2 PHP/5.2.4 configured -- resuming normal operations
[Sat Dec 15 03:58:48 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml
[Sat Dec 15 03:58:49 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml
[Sat Dec 15 03:59:10 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml
[Sat Dec 15 03:59:11 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml
[Sat Dec 15 03:59:12 2007] [error] [client ::1] File does not exist: /var/www/html/400.shtml
-------------------------END httpd_error_log
I have also posted this on DirectAdmin's forum, but because Im really nervous and dont know when they will answer I posted here too, cause this forum is used more
Server configuration
Linux CentOS5 DirectAdmin
Processor Name Intel(R) Xeon(R) CPU 3050 @ 2.13GHz
Vendor ID GenuineIntel
Processor Speed (MHz) 2133.507
Processor Name Intel(R) Xeon(R) CPU 3050 @ 2.13GHz
Vendor ID GenuineIntel
Processor Speed (MHz) 2133.507
Total Memory 2075520 kB
Free Memory 57004 kB - (Every time I cant access the websites, it is this low, then when I can access the websites again its
around 500mb)
Total Swap Memory 4192956 kB
Free Swap Memory 4192888 kB
Apache 2.2.6 Running
DirectAdmin 1.31.0 Running
Exim 4.67 Running
MySQL 5.0.45 Running
Named 9.3.3rc2 Running
ProFTPd 1.3.1 Running
sshd *** Stopped *** (I stopped it because my websites dont need it, in logs I could see that some sites, I dont know, were trying to acces it?)
vm-Pop3d 1.1.7f-DA-2 Running
View 11 Replies
View Related
Mar 11, 2008
I've an interesting issue here. A client of mine was apparently banned from one of my servers and the problem has been narrowed down to the APF. What's odd is that he's not listed on /etc/apf/deny_hosts.rules file, nor is his IP blocked by iptables.
But, as soon as the APF is enabled he can't access anything on the server! This is very random, I've been using APF for just over a year now and I've never had a problem like this. But who's to say it's not happening to others as well?
View 5 Replies
View Related
Feb 22, 2007
I can't seem to access my server. I can get in through a proxy but not with my own IP. I can't log in through SSH to find out what's going on because I'm banned. I manage my own machines at the moment, so no I can't really contact my host.
View 14 Replies
View Related
Apr 25, 2009
I took server from Soft Layer
After four month they banned my account, When I talked to them they said we banned your account for tow days because we Suspicion about you and I waited them for tow days but nothing new, after that I sent all my evidences to them, the passport picture, driver's license, ID's card and Visa Card picture from front and back.
NOW!
I don't know the reason for banned my account, why they banned me?
View 14 Replies
View Related
Jul 8, 2008
My story starts with my getting burned by fumiNET (the first *grrr*)...
Burstnet reactivates my server (for an additional payment of course). The server seems fine but I thought that I might do better with a BurstNET reseller (better service). So...
I sign up with a reseller, and since I got my new server I've been plagued with email bounces, rejections, etc. Seems that my server (via the reseller) was supplied with a bunch of banned IPs (in other words, crap IPs). (the second *grrrr*)
I've reported to the providers abuse department, but was told that I have to handle this. (third *grrrr* - or is it just continued from the second?)
I've had it. I'm ready to fold up shop. As it is the sites keep me busy - but then...
- I get screwed by fumiNET (losing a big chunk of money)
- the hassle of trying to get my fumiNET server back up (thanks BurstNET)
- transferring to the reseller for better service, and finding out that perhaps BurstNET service was better than the reseller's
I'm open if anyone has suggestions. Some that I've come up with myself...
- finding yet another server provider (recommendations welcome)
- drinking large quantities of Guinness (worth it regardless)
- pulling the plug on the server and getting shared hosting to hold some minimal content
- forgetting the whole damn thing and getting a job as a [pick one]: store clerk, street cleaner, used car salesman
View 1 Replies
View Related
May 19, 2008
How can make a cronjob for remove banned ip with CSF every 15min?
View 4 Replies
View Related
Sep 13, 2007
Have been receiving the following warnings for more than a day. Does BFD auto execute a permanent ban or do I have to do it myself? If so, how? Also, I did a whois, found out the service provider, and sent an email regarding abuse. I have yet to receive a reply.
I was wondering since its a HK IP, do I have to send the message in chinese? Would anyone be kind enough to do so?
Quote:
Banned the following ip addresses on Thu Sep 13 16:32:01 SGT 2007
203.186.163.31 with 308 connections
View 6 Replies
View Related
Dec 19, 2005
I have found a host already ...
View 3 Replies
View Related
Apr 14, 2008
I run an small social netwroking web site.
I just checked and it looks like yahoo dont accept emails from my server.
so is there any way i send those bulk emails to those users or my web site from another mail service prodider so that delivery guaranted?
informing my users who has yahoo mail account about updates etc..
i have dedicated server and cpanel.
View 3 Replies
View Related
Aug 13, 2008
I just lost access to my site, but wannabrowser & siteuptime, etc. all said it was up!
I ran ipconfig /flushdns and everything.
Finally, I unplugged my wireless & router and waited. Plugged it back in, everything worked (I had a new IP)
The only suggestion I can come up with is that my own security protection filtered me! How can I view the nodos blacklist to see if this is the case?
I already checked iptables -L and my IP (and range) did not show.
View 4 Replies
View Related
Sep 30, 2007
when you add a banned ip to APF it doesnt show anything when the user visits the site, just a blank page. is there anyway to set up a page such as "You IP Address has been banned,
View 4 Replies
View Related
Jul 13, 2015
I formatted my server and installed CENTOS 7 and PLESK 12. I have problems with cbl.abuseat.org. My ip enters in blacklist. I sent email to the support of abuseat.org and abuseat reply:
Please fix your HELO strings.
I check the my configuration and I think is correct:
- Reverse lookup is ok
- Hostname is ok (server.domain.tld)
But I have the file in /etc/sysconfig/network empty. There is only written: # Created by anaconda
Also, is correct the my etc/hosts file?
127.0.0.1 server.domain.tld server localhost4 localhost4.localdomain4
:: 1 server.domain.tld server localhost6 localhost6.localdomain6
View 12 Replies
View Related
May 16, 2008
We've blocked a few problematic users from our server using CSF (IP block).
Could anyone tell me how I could get a custom page to appear for this who are blocked on the server?
I'd like a message informing the user(s) that they have been banned from the server rather than a blank screen.
View 3 Replies
View Related
Jul 8, 2009
I am curious, what is the best way to ban certain IP from accessing server? I have software firewall (APF) and there is, of course, /etc/hosts.deny.
Which is the most efficient? I've read that software firewall becomes unstable after so many entries. Does the same apply to /etc/hosts.deny file?
Or is there a better way altogether?
View 7 Replies
View Related
Jun 8, 2009
some Chinese forums hotlinking images from my site and I even delete those images they keep sending me huge amount of http requests to my hosting server and eating 800mb of memory and upto 1GB cause server crash
I tried to block incoming referrer traffic from those sites using htaccess but it didn't work , I still see their http request on my server logs and memory keep goes high , am not sure my code is the right
how can I block these http request from these domains , what is the right htaccess code , I use DirectAdmin panel by the way
View 7 Replies
View Related
May 16, 2007
Can any one let me know how to block a range IP on SSH?
Eg: i'd like to block all IP: 67.63.123.xxx
View 5 Replies
View Related
Jan 9, 2007
I'm currently experiencing a lot of IP's starting with 200 and 201 (from Brazil) some IP’s have over 200 connections. I have APF installed and want to know how to block a block on ip's if this is possible.
IPS:
200.11.*******
201.*******
View 3 Replies
View Related
Apr 27, 2007
I have DDos Attack right now so I want to block all the IP from all over the world and just allow certain IP range.
How to do it using APF or any other way.
For example I want to block everything but Germany IP
Code:
53.0.0.0/8
62.4.64.0/19
62.8.32.0/19
62.8.128.0/17
62.24.0.0/19
62.26.0.0/15
62.40.0.0/19
62.44.32.0/19
62.48.64.0/19
62.50.32.0/19
62.50.96.0/19
62.50.192.0/18
62.52.0.0/14
62.61.32.0/19
62.68.0.0/19
62.72.0.0/18
62.72.64.0/19
62.75.128.0/17
62.78.64.0/20
62.80.0.0/18
62.80.96.0/19
62.89.160.0/19
62.91.0.0/16
62.93.192.0/18
62.95.128.0/18
62.104.0.0/16
62.109.64.0/18
62.109.128.0/19
62.111.0.0/17
62.112.32.0/19
62.112.64.0/19
62.112.128.0/19
62.116.128.0/18
62.117.0.0/19
62.128.0.0/19
62.128.160.0/19
62.133.0.0/19
62.138.0.0/16
62.141.32.0/19
62.141.160.0/19
62.145.0.0/19
62.143.0.0/16
62.144.0.0/16
62.146.0.0/16
62.152.0.0/19
62.152.160.0/19
62.153.0.0/16
62.154.0.0/15
62.156.0.0/14
62.165.0.0/19
62.168.192.0/19
62.169.0.0/19
62.176.128.0/19
View 2 Replies
View Related
Apr 15, 2007
how can i block to access to some IP?
for examaple scripts in my hosts can not access to some IPs i want
View 6 Replies
View Related
May 5, 2009
Fortigate appliances blocking an IP that is not in RBLs I have a problem with the IP 66.187.108.157 of my VPS it seems to be blocked by Fortigate appliances, as you can see in this error message:
SMTP error from remote mail server after RCPT TO:[url] host mail.am.com.pe [200.62.221.107]: 554 5.7.1 This message has been
blocked because it is from a FortiGuard - AntiSpam black IP address.(connection black ip 66.187.108.157)
However I have searched in this URL [url]and it is clean.
Any ideas on how to have/force Fortigate databases to become updated.
View 1 Replies
View Related
May 12, 2009
I'm having difficulties with a whm running on centos dedicated server. The problem is that we receive too much of spam and junk emails. by too much I mean 2000 bulks per week. It's killing us.
how I can stop it.
View 14 Replies
View Related
Jul 4, 2009
IM about tired of spam and hackers putting phishing items on my server.
My question is.
How can I block the whole world expect for US, CA and UK?
I've added several countrys to csf's csf.deny list but half of them keep disappearing.
View 14 Replies
View Related
Jun 12, 2008
Is there any way to block a particular ISP? Have a visitor that changes IP hourly, but the IP always resolves back to a hostname like dsl.yuns.sksk.uk .
I have CSF installed. Any way to block all visitors from dsl.yuns.sksk.uk?
View 3 Replies
View Related
Jun 17, 2008
in one of my servers i have this line in my ConfigServer Security & Firewall:
190.28.118.155 # lfd: 10 (suhosin) login failures from 190.28.118.155 - Mon Jun 16 23:27:50 2008
is this ok? i mean... its an attack of some sort? i know suhosin is meant to increase php security, so its blocking an attack right?
View 0 Replies
View Related
Apr 29, 2008
I have blocked this IP 125.115.144.28
/etc/apf/apf -d 125.115.144.28
But
netstat -anp|grep tcp|awk '{print $5}'| cut -d : -f1 | sort | uniq -c | sort -n
It still showing
202 125.115.144.28
Why?
Is it supposed to blocked right away, or need some time to get blocked.
When I checked /etc/apf/deny_hosts.rules
The IP is in the file.
View 12 Replies
View Related
Apr 6, 2008
I set up a forum for a small group of users, so I don't really wish to see spiders or bots on it, so I've put a robots.txt file there to prevent all of them from accessing the forum pages.
I know not all bots follow the robots.txt rule, and these days a really annoying bot called MUNAXNET or Munax AB with IP range 82.99.30.0 - 82.99.30.127 is causing the forum to have extra and unexpected loads.
I've tried to block this IP range with .htaccess and uploaded it to the root of the site a few days ago, here is the content:
<Limit GET HEAD POST>
order allow,deny
deny from 82.99.30.0-82.99.30.127
allow from all
</LIMIT>
However strangely it seems that all of these are not working for this bot, today I saw my forum had 80 users online and that army still keeps coming and browsing all pages of my forums...
I tested the .htaccess with blocking myself, and it actually worked for me, dunno why it's not working for that bot..
View 3 Replies
View Related
Mar 13, 2008
I was just researching my log analyzers to see whats happening... I noticed something new in the logs, a large number of unnamed robots or spiders... so I found the robot... it was this:
23310 7.99% 23303 9.48% 1159765 18.56% 22 0.12% 77.88.26.26
After some reading, sites say the ip belongs to spider26.yandex.ru
For simply security reasons, would it be in best interest to block the entire subnet? It seems that the same IP ending in .25 belongs to spider25.yandex.ru
View 0 Replies
View Related
Apr 25, 2008
Is anyone using snort?
Does it really block any web based attacks?
I know I can do port scans, and it can alert you to a whole bunch of false positvies, but is it blocking/detecting any serious attacks on your web server?
If so, which rules are the one is alerting on?
View 0 Replies
View Related
Jan 8, 2008
I have a Juniper firewall. I'm seeing a ton of traffic from the Twiceler bot in the range of 100,000 hits a day. Luckily they've more recently put up a list of IP addresses their bots use at:
[url]
So, I'm blocking all of these now. However I think it's a simple Netmask issue I'm having. I'm blocking all ports from
208.36.144.0/24
38.99.13.0/24
38.99.44.0/24
64.1.215.0/24
However, I am still seeing the bot in server log files. Could it be that I should not be specifying .0 at the end, but instead .1? Like this in the policy?
64.1.215.1/24
View 3 Replies
View Related
Jun 16, 2008
I have spamassassin configured its working 90% but still I am receiving mails from my ID only. Like I have info@domain.com so I am receiving mail from info@domain.com to info@domain.com.
View 7 Replies
View Related
