C.S.F. Blocking Nameserver Lookups
Oct 3, 2007
when I enable csf my server looses the ability to do an nameserver lookups. It doesn't seem like port 53 is being blocked, I've added the 2 nameservers in /etc/resolve.conf to my csf.allow file, but still nothing. Outgoing mail fails because it can't lookup domain names, I've tried nslookup from the command line and it times out. I'm out of ideas. Am I wrong about looking at port 53? Do I need to whitelist some other IP I'm missing? This is a RHEL5 server.
iptables --line-numbers -L OUTPUT -n | grep :53
39 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
49 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
54 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53
55 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53
56 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
57 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
58 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535
59 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
View 2 Replies
ADVERTISEMENT
Feb 24, 2008
I have got a dedicated server running Fedora Core 7.
My problem is that I am trying to run yum updates using the default repos and it failes to respond and check any mirrors?
I have tried to disable ipv6 and changed some tcp timeout settings along with the resolver.conf name servers and has appeared to fix the wget timeouts but yum is still slow.
View 7 Replies
View Related
Jan 6, 2007
when i do a recursion no;" in the "options" of named.conf it blocks email from coming into the server, and out as well.
View 10 Replies
View Related
Sep 21, 2007
what I broke
Fairly new VPS running centos + cpanel
Getting very slow dns lookups > 4 seconds, sometimes as long as 10 seconds, via both php and shell ping tests, etc. Pinging via IP is very fast.
named is running (tried restart, no change)
In cpanel the resolvers are set to the proper datacenter Nameserver IPs.
View 14 Replies
View Related
Apr 13, 2008
Is there a way you can hide from the whois lookups how many site's you have hosted on your server? Like, for the reverse IP, usually it'll mention how many sites are hosted on the server when you do a whois lookup.
Is there a way to prevent it from doing that?
View 2 Replies
View Related
Mar 15, 2008
I am trying to debug a dns problem.
What I need is for you to do a dns lookup and report:
1) the address that was returned, the last octect will do.
2) the area of the world you queried from
The answers *will* vary because the dns server is geolocation enabled. Or, at least they *should* vary. But, someone claims its buggered.
The host name to lookup is:
ssl.dnsmasq.com
View 6 Replies
View Related
Jul 24, 2008
DNS lookups against domains on my server are suddenly failing. The /etc/resolv.conf shows 3 entries for uplink DNS servers at my provider (theplanet). Bind is running, too.
What else could cause this? All sites are accessible via IP, but not by name anymore.
Cpanel/WHM server
View 5 Replies
View Related
Apr 4, 2008
1) I use DNSMadeEasy for a couple of my important domains so I can utilize their failover service.
2) I use my own nameservers for everyone else.
At my register (GoDaddy) I've added host entries to my domain (let's call it host.com) for ALL of my nameservers: DNSMadeEasy and mine. For example here are my host entries:
1) nsdme0.host.com = 55.55.55.55 (DNSMadeEasy)
2) nsdme1.host.com = 56.55.55.55 (DNSMadeEasy)
3) nsdme2.host.com = 57.55.55.55 (DNSMadeEasy)
4) nsdme3.host.com = 58.55.55.55 (DNSMadeEasy)
5) nsdme4.host.com = 59.55.55.55 (DNSMadeEasy)
6) ns1.host.com = 60.55.55.55 (mine)
7) ns2.host.com = 61.55.55.55 (mine)
At the register I've then configured host.com to use the first five nameservers for itself, the DNSMadeEasy nameservers.
For less critical sites that I host I simply point them to ns1.host.com and ns2.host.com, my nameservers.
Now, here's the twist. If I use dig to look up www.host.com I get:
[root@lax1 ~]# dig +trace www.host.com
; <<>> DiG 9.3.3rc2 <<>> +trace www.host.com
;; global options: printcmd
. 220048 IN NS D.ROOT-SERVERS.NET.
...........................................
. 220048 IN NS K.ROOT-SERVERS.NET.
;; Received 228 bytes from 66.63.160.2#53(66.63.160.2) in 1 ms
net. 172800 IN NS J.GTLD-SERVERS.net.
...........................................
net. 172800 IN NS G.GTLD-SERVERS.net.
;; Received 497 bytes from 128.8.10.90#53(D.ROOT-SERVERS.NET) in 74 ms
host.com. 172800 IN NS nsdme0.host.com.
host.com. 172800 IN NS nsdme1.host.com.
host.com. 172800 IN NS nsdme2.host.com.
host.com. 172800 IN NS nsdme3.host.com.
host.com. 172800 IN NS nsdme4.host.com.
;; Received 225 bytes from 192.48.79.30#53(J.GTLD-SERVERS.net) in 125 ms
www.host.com. 1800 IN CNAME host.com.
host.com. 75 IN A 60.55.55.55
host.com. 86400 IN NS nsdme2.host.com.
host.com. 86400 IN NS nsdme1.host.com.
host.com. 86400 IN NS nsdme5.host.com.
host.com. 86400 IN NS nsdme0.host.com.
host.com. 86400 IN NS nsdme4.host.com.
host.com. 86400 IN NS nsdme3.host.com.
;; Received 276 bytes from 123.123.123.123#53(nsdme0.host.com) in 68 ms
BUT, if I lookup the nameserver (ns1.host.com) I get:
Code:
[root@lax1 ~]# dig +trace ns1.host.com
; <<>> DiG 9.3.3rc2 <<>> +trace ns1.host.com
;; global options: printcmd
. 218964 IN NS M.ROOT-SERVERS.NET.
...........................................
. 218964 IN NS K.ROOT-SERVERS.NET.
;; Received 228 bytes from 66.63.160.2#53(66.63.160.2) in 1 ms
net. 172800 IN NS H.GTLD-SERVERS.net.
...........................................
net. 172800 IN NS G.GTLD-SERVERS.net.
;; Received 497 bytes from 202.12.27.33#53(M.ROOT-SERVERS.NET) in 115 ms
ns1.host.com. 172800 IN A 60.55.55.55
host.com. 172800 IN NS nsdme0.host.com.
host.com. 172800 IN NS nsdme1.host.com.
host.com. 172800 IN NS nsdme2.host.com.
host.com. 172800 IN NS nsdme3.host.com.
host.com. 172800 IN NS nsdme4.host.com.
;; Received 241 bytes from 192.54.112.30#53(H.GTLD-SERVERS.net) in 151 ms
What I've realized is that the actual IP addresses for nameserver host entries come from a higher level server than my own, in this case H.GTLD-SERVERS.net. I guess this makes sense but I just hadn't realized it before. It looks like I don't even need to have record entries in my DNS records for the host nameservers.
Now for the question. Can I:
1) Remove my custom host nameserver entries from my register.
2) Add entries in my DNSMadeEasy records to specify the location of ns1.host.com and ns2.host.com.
3) Use the failover provided by DNSMadeEasy to also fail-over my DNS entries for my nameservers?
I know this would require one more hop if it works but it would allow me to provide failover ability to fifty domains without having to purchase the extra domains at DNSMadeEasy.
View 2 Replies
View Related
May 17, 2007
Now that DNSReport is forcing logins/charging users for accounts does anyone know of any alternatives?
I can't seem to find anything remotely decent throughout my search engine hunts!
View 14 Replies
View Related
Apr 5, 2007
I've had it with EV1. On any given day we get 30-50 BFD attacks from their servers. That doesn't include the dozens of other types of attempts per day our IPS/IDS catch. We've also traced back client servers that were hacked directly via EV1 servers.
It's obvious that EV1 does little or nothing to stop these issues. We spoke to the FBI about these issues and their comments lead me to believe that EV1 is one of the major sources of these issues and that EV1 has shown little or no effort to curb the problem or cooperate in stopping the issue.
We have elected to now block all all EV1 IPS.
Drastic measures, not really. If they won't take care of their own problems I no longer want them dumped at my door step. I think other hosts might want to think about this.
View 14 Replies
View Related
Apr 28, 2007
At the moment it will block people who login with the wrong username/password 5 times. it also blocks people if they do the wrong email settings.
Is there a way to turn the pop3/email blocking off?
View 3 Replies
View Related
Dec 3, 2006
I am hitting a limit on number of POP signons per hour imposed by my host. I host maybe 10 domains on this account and have 4 or 5 email addresses to monitor for each domain. If I check once every 15 minutes I run up against a limit on the number of POP3 signons permitted by my ip. Add this to having multiple mail clients behind a NAT router and I am beginning to have real problems.
Does anyone else have this issue? Is my only workaround to forward all email to a single account or install a local mail server? Does 100 POP signons an hour from a single IP sound like a lot to anyone? Any advice?
View 6 Replies
View Related
Jul 19, 2008
Let's say you want to protect againts hacking,and using method with simply blocking loading url.So let's say someone hacked your index.html and changed links to lead to his domain.com.Is it possible to block what would be loaded on site ?(to prevent possible future hacking intrusions)
View 6 Replies
View Related
Nov 28, 2008
I have 2 server one is Linux server+Cpanel+CSF firewall where my site is running and one is windows server where my exchange mail server is running .Now thing is that when anyone send mail through my web site (after filling contact form) to me it doesn't come to my email id but when i stop my firewall and then i check contact form and fill it the mail goes to my mail id.
I have php script with SMTP authentication.
which port is blocked in my firewall and after disabling firewall it work.how can i check when firewall is on that time why mails are not coming in my email id that time which port is blocked by firewall.
Allow Port in firewall:-- 25,80,20,21,465,443,110,143
View 10 Replies
View Related
Jul 5, 2007
seems one of my sites has been added to some mega "toplist" site thats bringing in fake traffic to my site which is basically like a DOS attack - over 1000 connections.
coming from
[url]
[url]
[url]
linking to a php file in one of my accounts which has since been removed. however still getting a heck of a lot of hits, they probably all see 404 messages which still causes load on my server.
any suggestions how to fix this? the traffic is referred from above urls but hundreds of ip addresses. is there anyway to blacklist the referrer so people are just blocked, period?
View 6 Replies
View Related
Oct 6, 2007
Running freebsd with pf, and was wondering if there's anything like www.fixingtheweb.info for pf instead of IP tables? Otherwise it'll be a long day
View 1 Replies
View Related
Apr 14, 2007
I had a few sites hacked today. I'm using phpbb (all updates) and, apparently, the only thing they did was to drop the database and replace it with one featuring a single post "advertising" their hacker group. I tried bringing everything back on-line, but they would just attack again and take it down quickly... I'm thinking it's probably just some script kiddies.
They announce themselves as "turkish hackers". Browsing around for their message, I found they attacked quite a few sites. What I was thinking, to help preventing this from happening again, is to ban all visitors from Turkey (none of these sites has a need for them, as they're aimed at a local audience).
Can I do this simply by using "deny from .tr" in htaccess? Or are there any more steps to be taken?
View 6 Replies
View Related
Nov 7, 2007
I have my server set up with the smtp daemon running on port 125, and assp listening on ports 25 and 26, and forwarding to port 125 if the mail passes. This setup has been working for months and months. Already today I've received several emails.
I just attempted to send an email, however, and thunderbird could not connect to port 26. (I use an alternate port because my ISP blocks port 25 except to their mail servers)
So I thought that assp had stopped running. Attempted to go to myip:55555, but the page would not load. Now I really thought assp was broken. SSH'd into server and was able to telnet to localhost, port 26 without an issue. Was also able to lynx [url] without an issue.
Since I'm able to log in to all of these weird ports via SSH but not from my local computer, I'm apt to think that they are blocking the ports (for some reason).
Is there any way I can test this theory? Nothing has changed on my side firewall-wise, and the poor girl at the ISP company didn't even know what a port was. I would like to be 100% sure before I give them another call demanding to speak to someone higher up...
View 5 Replies
View Related
Feb 10, 2007
how to ban our blocking IP Location in my server like country range?
and how can i know the IP's country range?
View 5 Replies
View Related
Jul 20, 2007
as per apf firewall issue
Jul 17 02:03:02 duck kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:01:02:c9:94:20:00:90:69:8a:f3:f0:08:00 SRC=192.168.1.43 DST=192.168.1.220 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=40428 DF PROTO=TCP SPT=37079 DPT=3306 WINDOW=5840 RES=0x00 SYN URGP=0
i already added 192.168.1.43 ip in allow list.
tcp:in : d=3306 : s=192.168.1.43
d=3306 : s =192.168.1.43
tcp: out : d=3306 : s =192.168.1.43
# added 192.168.1.43 on 07/19/07 01:15:21
192.168.1.43
But ip is still blocking traffic while monitor mysql....
View 3 Replies
View Related
May 24, 2007
APF firewall is blocking IP's from the allowed range
I have this inserted in /etc/apf/allowed_hosts.rules and restarted APF of course
67.79.221.0/24
70.112.124.0/24
70.113.54.0/24
It still blocked this IP for example, 67.79.221.154
Anyone know why?
View 4 Replies
View Related
Jul 11, 2009
I have a virtuozzo VPS with CSF. People can't connect to ftp because the firewall is conflicting with iptables. I looked at the csf guide:
[url]
To correct it, the ftp issues states:
Quote:
For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd:
PassivePortRange30000 35000
Where is pure-ftpd.conf? Do I have to install it or something?
View 8 Replies
View Related
May 14, 2009
I have a client who needs to block IP range on a windows server. However, he is using Cloud hosting from Rackspace. I guess they are not being corporative in doing so. Anyway to do this without root? Perhaps from the control panel?
View 4 Replies
View Related
Apr 3, 2009
ive got a flash music player that gets its tracks from a dedicated directory on my server. there's about 10GB of music in there (we own it) and i want to stop people getting at the files (they can see the path in the source of the page that has the flash player).
i tried an htaccess directive that stops listing the directory contents but that obviously wont work. what is the best & most secure strategy to achieve this, blocking all ip addresses apart from my server's?
View 5 Replies
View Related
Jul 23, 2009
I have come across an issue where traffic from India is hurting my business. What I have is a number of job boards. Realistically, the only issue I am having is with IT and Engineering positions being applied for heavily by people in India. Since my customer base is all in the USA, I would like to just block India.
While I know this is easy with Apache using a .htaccess file, I am using IIS on server 2007. Does anyone have any idea on how to do this easily with the large number of IPs that India uses?
View 6 Replies
View Related
Mar 9, 2008
I recently signed up a new client to my dedicated server - The minute they switched over to my server, it seems that all hell broke loose. (I'm going to refer to them as "Company A")
Company A called me up and said that one of their employees was getting a huge amount of SPAM and that after a day or two, they were having issues with their E-mail.
I looked at my logs and it showed something unusual-
LOGIN FAILED, user=myclientuser@companya.com, ip=[::ffff:XX.XXX.170.47]: 110 Time(s)
When I explained this to Company A, they ran some virus checks on their computers and 3 out of 5 computers had viruses on them.
They claim to have fixed the viruses but now, they cannot send e-mails to specific clients.
I checked their I.P. against blacklists and they are using Comcast cable internet at their location and I cleared their only blacklisting (spamhaus.org).
I'm still getting calls that Company A cannot e-mail a few of their clients and just to make sure it's not JUST them, I tried to send a test e-mail to the same clients as Company A.
The e-mails from me were rejected due to time-out.
HERE IS MY QUESTION:
Is this an issue on MY end that must be taken care of *OR* is it due to the fact that they had viruses on their computers and now they are blocked because the virus tried to attack everybody in THEIR e-mail address book?
None of my other clients are complaining of e-mail issues or that e-mails are getting kicked back. Just Company A.
View 4 Replies
View Related
May 6, 2008
I have a client who was sending email to another server with Cpanel, all of a sudden all emails are in the queue for a few days and we checked everything was ok on our side even the logs are able to find the domain name, just that it drops from there.
Took me a while I finally telnet their port 25 and found it block, but somehow a few minutes later it was unblocked. Is there any mechanism in Cpanel that auto block port 25? I know the client uses a catchall so all rubbish went there, I cleared the catchall for him.
View 3 Replies
View Related
Feb 13, 2007
It appears that MSN / Hotmail have recently began blocking an awful lot of servers I manage. Several of them (for a company I work for) are in a few blacklists however a number of the IP addresses I manage are 100% clean.
Anyone know of something MSN/Hotmail recently began enforcing?
The blocks began at around 6 PM EST on Thursday of last week.
The error message is as follows:
Your e-mail was rejected for policy reasons on this
gateway. Reasons for rejection may be related to content such as obscene
language, graphics, or spam-like characteristics (or) other reputation
problems. For sender troubleshooting information, please go to
http://postmaster.msn.com. Please note: if you are an end-user please
contact your E-mail/Internet Service Provider for assistance.
I feel like a pawn for asking this on WHT but from what I can see
it's fairly widespread.
The domains in question do have basic SPF implemented as well.
not limited to a contact at hotmail / msn that would enjoy a phonebeating.
View 5 Replies
View Related
Nov 5, 2007
I would like to block emails that contain certain subject that goes to one domain and also the one being sent internally between the users on the same domain. The tricky part is, the recipient of the blocked email will receive a notification (The message has been blocked. To retrieve the full emails, please contact the administrator). Anybody has done it before?
I am using Qmail+SA+Clam on FreeBSD
View 1 Replies
View Related
Aug 21, 2007
This is just a notice: one of the staff of a large site I run was no longer able to log into the site. As it turns out his IP was being blocked by APF.
The reason for his IP being blocked was that it ended in 255 (x.x.x.255). Any such addresses are blocked by the PKT_SANITY_STUFFED option, which is turned on by default in recent versions of APF. When restarting APF this option shows up as {pkt_sanity} deny all to/from 0.0.0.255/0.0.0.255 and can be seen under "OUT_SANITY" when doing "apf --list".
As you notice the problem is that some ISPs are are assigning supposedly "bad" IPs ending in 255 to users. And I'm not the only one hitting this problem either: [url]
If you are also using (a recent version of) APF, you might want to turn this option OFF.
In the meanwhile, if anyone is so enlighted... why was this option in APF in the first place? What so bad about IPs ending on 255? The APF docs say they're bad broadcast addresses, so why are ISP assigning them anyway? Who is at fault: APF or ISPs?
View 3 Replies
View Related
Mar 26, 2007
We have a CentOS sever running Apache 2 with the mod evasive plugin installed. Mod evasive keeps on blocking me though, and adding me to the blacklist, when I am just browsing pages.
Here are my settings:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
DOSEmailNotify networkadmin@mydomain.com
</IfModule>
View 4 Replies
View Related