I'm having a problem with mails on my server. I configured csf and ddos deflate to send a mail to "root" when some ip is blocked. I made .forward in /root dir with my mail but I still don't recieve an email when an ip is blocked by csf or ddos deflate
P.S Mails with webmail clients are working fine
i opened up my email only to get spamming with over 600 email's from my server. I dont think my server is being DDOS'd but this is strange. And there seems to be a bug.. its saying BANNED NUMBER of Number and not, "ip here with X numbers f connections: The emails consist of:
Quote:
Banned the following ip addresses on Fri Oct 23 14:35:01 CDT 2009
250 with 250 connections
Quote:
Banned the following ip addresses on Fri Oct 23 12:58:01 CDT 2009
363 with 363 connections
Quote:
Banned the following ip addresses on Fri Oct 23 12:38:01 CDT 2009
253 with 253 connections
Quote:
Banned the following ip addresses on Fri Oct 23 09:12:01 CDT 2009
162 with 162 connections
Anyone else had this problem before? It seems my server is trying to ban itself since 162 is what i believe to be my server ip with that amount of connections. It started @ 9am and still going on now. I checked my CSF log and its showing my server is trying to PING some outside ip address @ 224.0.0.251
A couple of days ago I was having load issues and and my host looked at my issue and added apf 0.9.6 rev2 with ddos deflate, and the load has gone down. I have a question though, when APF_BAN=1 and ban period is minutes BAN_PERIOD=1800 why does my deny.hosts have 2 day old bans?
View 2 Replies View RelatedJust wondering if anyone is running both of these applications. Am I wrong in thinking that running them both would be redundant?
View 11 Replies View Relatedit seems people tell Dos Deflate is the best basic antiddos script and tons of webhosts use it.
I think its ratter old and it doesnt work for anything these days. Why do hosts still run it? And why isnt there a better alternative?
I used Deflate some years ago and I got problems. And tried then after some years again and nothing changed, the same basic old script which counts connections and ban IPs.
The think with Deflate is that if you have a high limit, lets say ban with 150 connections per IPs, its absolutely worthless for attacks, since you are letting already 150 connections per IP.
And if you lower it at least me got with tons of problems banning real visitors. Even over 150 I had complaints about real visitors on a server telling the server blocks him. Dont ask me how someone has 150 connections to a servers but I got complaints from multiples people over the world the 1 month i had it running over a 2 years ago.
I also see a really big problem with it. Allot of ISP share IPs between users. So its really possible you get 200 connections from the same IP and they are different users. Banning an IP based on the connections you can probably shutdown a full IPS and their visitors. I wish there was a better solution but using a high value like 300 or 500 doesnt make sense in a Dos attack. And if you use a low value you start to get into problems.
We agree it will not work with distributed attacks but I dont think it can even work with single attacks since besides connection count it doesnt seem to be any more analisys behaviour.
The way I would make a script like that. Is to check all traffic and IPS all the time. And mark IPs that always access a server ass good ones. The newer the IP the more suspicious. On a attack this way real visitors would still pass but attackers will not as they are new ips. You can also match then the number of times its connecting, how long, etc.
I found this ddos deflate like script but made and optimized for csf i used it and it seems to work great, any one else there useing it,? its called csfprotect, anyone else using this script and its working good at blocking ips,
View 4 Replies View Relatedi have problem when using ddos deflate for ddos protection in my server,
i get this message,
Quote:
Banned the following ip addresses on Tue Aug 4 13:12:37 WIT 2009
67.21.44.60 with 4011 connections
ddos deflate is blocking my server ip, what's wrong?
: 67.21.44.60 not real my server ip just for sample
I use deflate to prevent ddos attack.
But after I start deflate, I still keep seeing a lot of connection from certain IP.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
87 218.86.252.158
363 219.150.191.62
501 60.216.238.212
I want to block those IPs permanently.
How can I do that.
I am using DDOS Deflate
[url]
I have a problem with NO_OF_CONNECTIONS.
The default is 150
For example, if a website has 200 thumbnails in one page, then the user will get banned.
But in my case, each time a user have only 1 connection(He only access 1 flv file each time).
So, is that safe for me to decrease the number to 20.
I can see a lot of IP having more than 80 connections, which I think they are ddos attack.
My domain is currently under massive DDoS attack by failed e-mail messages - there are currently 10 failed messages send to me in 1 second. Almost every mail comes from different IPs, is there anythink I can do?
View 5 Replies View RelatedI have a few questions regarding (D)Dos Deflate:
How many " Connections " should I set it at before (D)Dos Deflate starts blacklisting and banning IP Addresses? It is set at 150. Should I make it 10?
Should APF Firewall be installed for this to be more effecfive? ( Note, I'm don't know much about Linux and this isn't installed. )
Number of seconds the banned ip should remain in blacklist? It is a at 600 by default. Shouldn't this be infinite?
Quote:
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1
1-i have CSF installed and thinking to install DOS-Deflate 0.6 but not sure if any Conflect between CSF and DOS-Deflate 0.6. Any Idea..
2- How Safe to use Kloxo for one Domain for personal use ..
I made a thread about this in programming as I was trying to figure it out but I ended up tweaking dos deflate a lil and got it working. Tried and tested as well during low bandwidth syn flood. Keep in mind if you are having massive syn attacks then most of it will have to be filtered on the network level. I have filtering from staminus on my server, this is just for the low bandwidth stuff that gets through.
Syn-deflate is just a name I came up with as it is based on dos-deflate, only a few changed features. I dont know how medialayer would feel about me modifying their script this way I know they got lisence and copywrite on it. Guess I will talk to them about that before any official release.
especially about the csf version.
So I always have used some dos deflate features to monitor dos in my servers, just the netstat command. This one:
Code:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Today, got a syn flood coming through, low bandwidth, etc. Each ip connecting under the tracking limit for csf. So I tweaked the netstat command a lil bit and I was able to see what ips were sending syn and how many times.
Like this:
Code:
netstat -ntu | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
So I figured it would be very handy to ban ips sending over so many SYN_RECV connections at once. So I took dos deflate and tweaked it a lil. Made this to work with csf. Only problem on csf is there is no unban command, only whitelist so I just had it do csf -d again on the unban command, This would give an error and would not unban the ip but you really dont need to unban it so soon.
With apf it works perfectly on unbanning. Works just like dos deflate but bans syn flooders not connection flooders. You could even use this along with dos deflate. I am using it along side of csf and the connection tracking feature no problem.
I plan on releasing some what of an official version too along with some other tools to monitor and stop dos. So whoever is interested or can offer some advice let me know.
For those who wanna give it a try:
For the CSF version:
To install:
Code:
wget[url]
To uninstall
Code:
wget [url]
For the Apf and Generic Iptables version:
To install
Code:
wget [url]
To uninstall
Code:
wget [url]
uninstall.synd ; ./uninstall.synd
I didnt get to try the apf version out much but have used the csf version all day with no issues
Note to makers of dos-deflate: Im not too keen on all this licensing stuff or what I am supposed to do when I modify someone else script so let me know what I need to do to keep from making anyone mad.
Whatever i try to modify configuration there is no way i can get file delivered by apache or NGINX to be deflate/gzip compressed.
OS: Debian 7.7
Plesk version: 12.0.18 Update #33
I've tried to add these lines to Nginx (Vhost directives) but it change nothing :
# Gzip Settings
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 4;
gzip_http_version 1.1;
gzip_min_length 1100;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/x-javascr$ application/xml application/xhtml+xml application/xml+rss;
gzip_vary on;
gzip_static on;
gzip_proxied any;
gzip_disable "MSIE [1-6].";
I also tried to disable Nginx and configure deflate in apache with following lines (Vhost directives then in a file in apache2/conf.d) but it is the same ...
<IfModule mod_deflate.c>
# Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)s*,?s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
[code]....
I have been trying to enable server-wide compression using deflate.My server is running a fresh install of plesk panel 11 installed over a fresh centos 6 64. The configs and settings (aside from files I mention) have not been changed at all from default.
I have created a new file in /etc/httpf/conf.d/deflate.conf This file is being included when Apache is restarted, so that's definitely working and the html doc compresses. But not matter what I do (I have tried every combination Google would find) css and js files will not compress. At my previous workplace we also used a Plesk server and nobody could ever get compression working there either.
it's come under my attention that dragonara.net has been ddosing me today since morning from the ip:
194.8.75.229
What's so ironic about it is that the ip is from a UK DDOS protection site so i'm expecting some email with their services in the next hour or so. Stay clear of them they are fakes and e-terrorists.
I am looking for some good ddos protection providers, via protected dns. I've searched on internet, but most of them are really expensive.
Please tell me some ddos protection providers what could help me.(gige is too expensive btw).
And I found some ddos protection scripts. How can a script protected a server from ddos? A sript like CSF or DDoS deflate?
recently my mails are not been sent to hotmail and live users from the forum
I just checked by sending a test mail to my hotmail account but the mail wasn't recd. so
I checked the mail queue manager in WHM and the hotmail related mails were not traced.
how I can overcome this problem, I can send mail to hotmail if they are bouncing but when I don't find in the queue , what can I mail about them , when they ask an error id
I sent mass mail from vBulletin forum and I want to see status of those mails via ssh. I mean, I need to see how many mails is sent well, how many of them are still sending e.t.c
View 4 Replies View RelatedI have a bare minimal server which I want to move WHMCS over to. However, how do I setup e-mails so I can setill PIPE them into the system? The e-mail server would be hosted on the main server still.
View 3 Replies View RelatedWe have tried fixing this problem, but its not working..
Our IP: 66.212.18.238 is sending mails to spam box.., It doesn't seem to be blacklisted..
I installed litespeed but now I can't send mails, I didn't got any error but mails are not delivered. My ip is not listed at spamhaus or something like that. Before, with apache it worked fine
View 4 Replies View Relatedi own my dedicated server. every mail that i send via whm, or even via my php script, goes to SPAM box of yahoo/google,...
(also i setted up REPLY-TO header in my php script)
I have a test server from which I can send out emails.. but I am unable to receive emails although I can connect and login to the pop3 server locally (telnet localhost 110)
How can I investigate this issue to find the problem and fix it
When I am sending mails through my Outlook, the mails are being delivered with an unknown signature as below:
ADVERTISING
--------------------------------------------
<a href=[url]
Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa, <br>
from The Best Online Pharmacy! FDA Approved. Low pricing, discounts, <br>
flawless customer support. New discounts and special offers ! <br>
</a>
[url]
--------------------------------------------
Eventhough, I did not setup any signatures. Plesk server with spamguardian running.
One of my e-mail addresses - steve@acme.ie - is regularly marked as spam. My mail server is not blacklisted. My e-mails are always plaintext, and only sometimes have URLs in them.
Looking at my mail server health everything looks ok except for what I assume are reverse DNS entries for my domain. So I'm guessing this is the problem.
So...
1. Do I need to ask my hosting company (I have a dedicated server with the planet) to set up reverse DNS entries for all my domains, or can I do this manually? Note I use my own DNS server, I do not use the hosting company's DNS server.
2. Will it be a problem that all my domains (dublinjobs.ie, acme.ie, etc.) use the same IP?
well we are reseller with some dozens of site...
we use squirell mail for mails for all the sites hosted with us..or the cpanel...
the problem lately is that
our sites mail.............all sites hosted with us are getting hundreds of spams every day..mails of all sites seems similar...
even if we create a new site in our account..a brand new site starts getting hundreds of spam mails..
so it has made things very difficult...
most of mail seems normal with normal names and normal subject like hello...
so it is making things very difficult ..
we feel that ip of server has been targeted by spammers..
I have a VPS in which mails are hanging in Mailqueue. When I use these commands at SSH(iptables -D OUTPUT 2 iptables -D OUTPUT 1 ), every thing goes fine and mails are started delivering but after 8 or 9 hours same problem occurs.
So my question is:
Can there be a permanent solution for this problem?
i have a server for my website, yer i can not send mail from it.
i have qmail is the mail client installed by default from the provider.
first, can you please check whether i have the dns template setup correctly for mail?
[url]
and i have a lot of mails in queue with this log error:
CNAME_lookup_failed_temporarily._(#4.4.3)
Can someone who really knows what they are talking about write me up a very quick parag. on the reasons why the internet is becoming overloaded w/ e-mail & why people don't get their e-mails besides spam filters filtering them, for example the grey/black list, detecting viruses in Word when the person's anti virus isn't picking it up, etc.
View 4 Replies View RelatedI would like to block emails that contain certain subject that goes to one domain and also the one being sent internally between the users on the same domain. The tricky part is, the recipient of the blocked email will receive a notification (The message has been blocked. To retrieve the full emails, please contact the administrator). Anybody has done it before?
I am using Qmail+SA+Clam on FreeBSD