server notice : kernel: possible SYN flooding on port 110. Sending cookies. and down.
how to disable flood on port 110, flood port 443!
EX : disable telnet on port : 21,445,110,53
how to disable telnet on port 21,445,110, with cmd (telnet ip(host) port)
my new server performs strange
I checked /var/log/messages
there are full of these messages
possible SYN flooding on port 80. Sending cookies.
kernel: printk: 84 messages suppressed.
kernel: nf_conntrack: table full, dropping packet.
my site is a huge site, thousands of ppl online
I think i am not been attacked, but kernel think so.
How to resovle this problem.
How can I stop netfilter from kernel
kernel:@2.6.22.1-32.fc6
2 xoen 2.8g, 2gb ram, 73gb scsi hd
I am in the process of fighting a Hosting company on a dedicated server. It was turned off without notice a couple of months ago. They said I had not paid last years bill for this server (10 months ago). When I sent them the paypal confirmation number from last year finally they agreeed but said I owed an inflated 2008-2009 bill. The first bill I got was when the server was suspended. The bill increased over 20%. In order to get my clients back online I paid the increased bill but sent the initial price guarantee and asked for a refund of the difference. What I got was a half apology and the double talk below. I switched hosting companies and asked for a pro-rated refund and even though the server is paid up until Sept 2009 they have suspended the server. I am going to leave the hosting companies name out.
"Dear Mark,
As explained by Tom, the amount you paid is the amount that was due.
Since you originally purchased your server, our costs have risen by approximately 46%. The increase in price for your server only represents approximately 16%. While in the past, we have been able to absorb price increases and not pass them along, unfortunately, on this occasion we had no choice but to pass along part of the increase - the increase applied is just over half the increase we have personally seen since the start of this year. We have been able to keep the increase low through additional cost savings and reducing our profit margins, but, there is a limit to that and we unfortunately hit with the latest increase we've been hit with.
The issue with your server earlier this month was due to human error. We do not have any due invoices from 2007 (any unpaid would have been passed to collections), and as we are human, have gotten into the habit of simply looking at the day and month. One of my billing staff members alerted me that your invoice was overdue, believing it was a 2008 invoice due 1st August 2008 and requested that I authorise a disconnection. I then looked at it and also missed the 2007 date. Tom unfortunately does not have full access to billing details and cannot correct (nor view) errors such as that.
In terms of the invoicing - the system expected a recurring payment, through the Paypal subscription, to occur automatically and this is why no invoice was generated. As your invoice last year was manually paid, there was no subscription to update and pay. As a result, I had to manually update your account to reflect the payment details and manually generate the invoice. The invoice in your account when you paid the invoice correctly reflected the $1274.20 value. One of the emails quoted above, which should have been received after the emailed invoice, stated "generated the correct invoice for the 2008 to 2009 billing period.". I am sorry if that wasn't clear enough.
I have a dedicated server with a provider. They have a notice period of 30 days, to cancel the server. The billing date of the server is 13th of every month.
I sent them the cancellation form on 30th of last month, asking them to terminate the server by 1st of next month (thereby 30 days notice). But they say that they will bill me on this 13th for another full month, and they'll cancel the server only on 13th of next month! WTF? So, the notice period becomes 43 days!
I have never experienced something like this with other providers I'm using but just wanted to know..
i have problem with cockies
i use vbulletin forum on vps
in my vbulletin forum ,the forum request password every time
from members
ie: we cant Retention cockies
even in admin control panel
i wrote the password for 10 times in 15 min interval
which is bad thing
i m using wampserver5, i want to use this as my database handling tools.
> if you can help me on how to get this connected to adobecs3 to setup login session, card validation site and so on
I am using apache 2.4, mod_auth_form and mod_session with cookie based sessions. I would like my sessions to expire after 15 minutes of inactivity - so I set
SessionMaxAge 900
However, I also need my sessions to expire when the user closes the browser. Unfortunately, the cookie header sent looks like
Set-Cookie: session=Private-user=someUser&Private-pw=thePassword&expiry=1386227882551049;Max-Age=900;path=/;HttpOnly
I have temporarily turned off SessionCryptoPassphrase for debugging.
The problem is the "Max-Age=900". This makes the cookie persistent in the browser, so that even if the browser is closed, the session will still be valid if a new browser session is started within 15 minutes.
Can I avoid the "Max-Age=900"?
Or should I use mod_headers to rewrite the set-cookie header?
Currently I am using Linux + cPAnel and using the port 25 for email sevrer. Currently we facing 1 problem is, some user's ISP is not support port. May I know how can I add additional port into server and allow users to send mail by different port?
View 1 Replies View RelatedWell I've tried Staminus and Awknet and they both just seem to rate-limit if I get like 300MBIT SYN, is there any provider that won't just rate-limit but will actually filter the attack for around $200/mo?
View 7 Replies View RelatedI have been faced with a packet flooding issue.
Quick scenario, I run a few public game servers, and we have had a member go insane.
This member has been using a piece of software, to do a simple DDoS attack, and when they perform this attack, it laggs everybody out, and takes down the individual game server.
While this is occurring, I have been watching with a network analyzer program, and noticed the packets go sky high (from 4.4k to 150k+).
So, I am in need of a quick, piece of software that can block flood attacks, or whatever is going on.
My website has been under a constant Syn Flood DoS attack for the past few days. However, the attack originates from a single IP address that changes every few hours (Possibly a syn flood script with IP spoofing capabilities).
The Syn Flood attack isn't creating any spike whatsoever in my usage graphs, however, its still rather annoying. What firewall should I use to combat the DoS attack?
Someone seems to be flooding our HTTP server somehow. We use the latest version of Apache on Windows.
Is there any Windows modules that can filter the total amount of IP connections, or something built into Windows that could filter this?
I made a thread about this in programming as I was trying to figure it out but I ended up tweaking dos deflate a lil and got it working. Tried and tested as well during low bandwidth syn flood. Keep in mind if you are having massive syn attacks then most of it will have to be filtered on the network level. I have filtering from staminus on my server, this is just for the low bandwidth stuff that gets through.
Syn-deflate is just a name I came up with as it is based on dos-deflate, only a few changed features. I dont know how medialayer would feel about me modifying their script this way I know they got lisence and copywrite on it. Guess I will talk to them about that before any official release.
especially about the csf version.
So I always have used some dos deflate features to monitor dos in my servers, just the netstat command. This one:
Code:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Today, got a syn flood coming through, low bandwidth, etc. Each ip connecting under the tracking limit for csf. So I tweaked the netstat command a lil bit and I was able to see what ips were sending syn and how many times.
Like this:
Code:
netstat -ntu | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
So I figured it would be very handy to ban ips sending over so many SYN_RECV connections at once. So I took dos deflate and tweaked it a lil. Made this to work with csf. Only problem on csf is there is no unban command, only whitelist so I just had it do csf -d again on the unban command, This would give an error and would not unban the ip but you really dont need to unban it so soon.
With apf it works perfectly on unbanning. Works just like dos deflate but bans syn flooders not connection flooders. You could even use this along with dos deflate. I am using it along side of csf and the connection tracking feature no problem.
I plan on releasing some what of an official version too along with some other tools to monitor and stop dos. So whoever is interested or can offer some advice let me know.
For those who wanna give it a try:
For the CSF version:
To install:
Code:
wget[url]
To uninstall
Code:
wget [url]
For the Apf and Generic Iptables version:
To install
Code:
wget [url]
To uninstall
Code:
wget [url]
uninstall.synd ; ./uninstall.synd
I didnt get to try the apf version out much but have used the csf version all day with no issues
Note to makers of dos-deflate: Im not too keen on all this licensing stuff or what I am supposed to do when I modify someone else script so let me know what I need to do to keep from making anyone mad.
I have sent a DMCA notice to softlayer because I saw warez forum thats abusing USA laws and they are giving away lots of hacked rapidshare accounts to its users. So I have made my complaint but I didnt said what infringed my copyrights. And softlayer can see the warez site and decide them selves.
So this what I got in reply after 2 weeks-
Quote:
Please review our DMCA procedures which follow the OCILLA. Also note, the sworn statements and all other information listed on our DMCA page are not only required but mandatory for any DMCA report. This will allow you to specifically identify the intellectual property that you own and is being infringed upon, which is required by law.
There are many verified third party DMCA/COPYRIGHT agencies who act on behalf of the intellectual property holders who can verify and submit these claims on behalf of the intellectual property owners. This will insure that legally, the intellectual property owner and the ISP is protected in the event of an account termination.
Softlayer DMCA information [url]
[url]
[url]
And they didnt took any actions against that site and what I see is that warez site is operating till now on softlayer servers. Looks like softlayer didnt warned the site admins too. 1 month passed after my complaint and its still operating.
I design Web sites for clients, and also am a hosting reseller. The problem I'm having is selling all these hosting packages, but I don't know when their hosting package expires, except for periodically logging in and checking the setup date. I am currently using hostgator with the whm (WebHost Manager). Is there a way to set it up for 1 year and have it e-mail me when an account is about to expire, or is there some really cool database program elsewhere that I can use to help facillitate all these Web hosting packages?
View 5 Replies View Relatedwe have one box in hivelocity.net that has been down so many times this month that we were forced to remove links to siteuptime where we were once so proud of having a 99.7% uptime for 3 years in theplanet.
syslog shows that just before crashing, these entries were made:
kernel: kernel BUG at mm/rmap.c:479
kernel: invalid operand:0000 [#1]
dmesg also shows this:
...
Brought up 2 CPUs
zapping low mappings.
checking if image is initramfs... it is
Freeing initrd memory: 482k freed
NET: Registered protocol family 16
PCI: PCI BIOS revision 2.10 entry at 0xf9f20, last bus=1
PCI: Using configuration type 1
mtrr: v2.0 (20020519)
mtrr: your CPUs had inconsistent fixed MTRR settings
mtrr: probably your BIOS does not setup all CPUs.
mtrr: corrected configuration.
...
i've googled these messages and they point to ram problems.
hivelocity.net claims to have done diagnostics on the box and that there were no problems reported.
they said this is a result of a sys configuration problem made by us.
any ideas?
running centos/virtuozzo 2.6.18-028stab062.3
when i configure vmware it asks at one point for kernel header files. where would i find them to match the current kernel?
i asked at parallels forums but help there is very scarce. i checked openVZ repositories and they dont yet have headers for this version.
what are my options? i have one last windows machine left and want to run it in VMware.
Last year I ordered a new server with Centos 4.3 and it had the kernel kernel 2.6.9-34.0.2ELsmp installed. It runned fine and I didn't update any packages since then.
Today I started getting a problem where both mysqld and kswapd0 uses very high amounts of CPU, spiking up to 100% and my memory usage is at 99% all the time. The problem seems exactly the same as the one mentioned in this thread.
In that thread the exact same kernel is said to be insecure and to cause this problem. I also came across a centOS bug that reports this problem with high cpu, mem usage and mysql & kswapd0 consuming all resources.
In the linked thread the person solved the problem by upgrading to kernel 2.6.9-42 using rpms but others recommended a newer kernel or a custom compiled kernel for CentOS.
Apparently when they used yum it said 34.0.2 was the latest kernel.
What should I do to upgrade the kernel, which version should i upgrade to, and where do I get it from? I won't be able to compile a custom kernel and I've only installed basic rpm packages before.
One of the sites I help run has 1.5 million pages of parts that can be ordered and information about those parts. We started seeing a ton of hits at around 20-30 pages per second over the past couple days.
There is no information about them on the internet and they are also masking as GoogleBot.
Be on the lookout as I am pretty sure they are trying to steal content and post it up for search results. They are using Amazon EC2 servers to do it also.
This is how they are identifying themselves:
Mozilla/5.0 (compatible; Adtuitionbot/1.0; +http://www.google.com/bot.html)"
Offending IPs: 174.129.155.59, 72.44.52.93
In a 24 hour period, we blocked 408,821 requests from them.
How much Notice do I need to give nocster/burst before cancelling?
Not ready to cancell just yet but probably will be at the end of next month. (Moving to co-lo and as i'm in the UK burstnet's datacenter would be a bit far to travel so Won't be using them for Co-lo)
Couldn't find mention of the minimum notice period on their site.
I really do not want to mention the name of the hosting. I have been with them since the beginning of 2007.
My VPS was shut down about 15 hours ago because there might be a problem with the recurring payment. Actually I was informed that the payment has been processed and approved successfully last week. And there is no any email telling me that there is problem with the recurring payment.
I have been asking their support to re-start my VPS first but they said this is the sales issue. It has to be handled by the sales. Just waiting....... waiting..... Very disappoint!
Will you shut down the VPS of your customers without any prior notice?
I just got a notice from Leslie at Colo4Dallas that they are raising their rates by 20% effective June, 2007. Did anyone else get this notice yet today? And in order to get the lower price (20% increase), I will have to sign a 12 month contract. So for example, my 1/2 rack will go from $399 to $478, or if I choose to stay month to month, the new rate will be $600.
View 14 Replies View RelatedI just realised that there is too many failure notice mail goes out from my server. All of those ones are spam.
1-) How can i understand how they are being sent? I mean from which domain or smtp etc.
2-) Is there a way to filter especially failure notice mails sent out from server?
to day i have check may server! and a notice!
10 20:56:02 h96256475587 named[4421]: zone 0.0.127.in-addr.arpa/IN: loading master file named.local: file not found
Nov 10 20:56:02 h96256475587 named[4421]: zone nbe-broadcast.com/IN: loaded serial 2007111001
Nov 10 20:56:02 h96256475587 named[4421]: zone localhost/IN: loading master file localhost.zone: file not found
Nov 10 20:56:02 h96256475587 named[4421]: zone h96256475587.serverkompetenz.net/IN: loaded serial 2007092700
Nov 10 20:56:02 h96256475587 named[4421]: running
Nov 10 20:56:02 h96256475587 named[4421]: zone h96256475587.serverkompetenz.net/IN: sending notifies (serial 2007092700)
Nov 10 20:56:02 h96256475587 named[4421]: zone nbe-broadcast.com/IN: sending notifies (serial 2007111001)
Nov 10 20:58:31 h96256475587 ntpd[4244]: synchronized to LOCAL(0), stratum 10
Nov 10 20:58:31 h96256475587 ntpd[4244]: kernel time sync enabled 0001
and question! my server is hacked!
Recently the Apache recompailed with eAccelerator after that the below error log has created and also the Apache got crash when reach high traffic.
[notice] child pid 13013 exit signal Segmentation fault (11)
[notice] child pid 13054 exit signal Segmentation fault (11)
Due to this problem I ran the /scripts/upcp --force and again recompailed the Apache with eAccelerator.
later the signal Segmentation fault error not created but instead of above error the following error has been creating. And also again recompailed the without eAccelerator still the below error creating.
[notice] child pid 763 exit signal Bus error (7)
Server Details.
Apache 2.2.9
PHP 5.2.5
MySQL 5.0.5 (Runing Seprate box)
eAccelerator 0.9.5
Not sure if this is even feasible but is there any server side software that will monitor the bandwidth usage on the server/nic and notify/email the admin when certain mbps levels have been reached in a certain time line. Just seeing if there is anything that I can use to not go over my 95th percentile but still keep good flow on the server.
View 0 Replies View RelatedWe cannot figure out why our dedicated server will not boot to the correct kernel. I've removed all other options from grub.conf but it's still booting to the default CentOS setup.
grub.conf:
Code:
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You do not have a /boot partition. This means that
# all kernel and initrd paths are relative to /, eg.
# root (hd0,0)
# kernel /boot/vmlinuz-version ro root=/dev/mapper/ddf1_4c53492020202020808627c300000000378494a900000a28p1
# initrd /boot/initrd-version.img
#boot=/dev/mapper/ddf1_4c53492020202020808627c300000000378494a900000a28
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-028stab062.3)
root (hd0,0)
kernel /boot/vmlinux-2.6.18-028stab062.3 ro root=LABEL=/
initrd /boot/initrd-2.6.18-028stab062.3.img
Code:
uname -r
2.6.18-128.el5
I got this weird issue with a server, I have even contacted some server management companies as I ran out of ideas and ran out of things to try and fix it.
Lemme explain.
The server is a core2quad q6600, with 8gb ram. 2 velociraptor 300gb on raid1.
When I set the server up I had to wait on cpanel so I first went in and compiled a grsec kernel, 2.6.24.3 to be exact. Then I installed cpanel and everything else, have done the same exact procedures with countless other servers before, nothing special.
Have had this server around 10 months. It will only run right in the 2.6.24.3-grsec kernel. When you boot another kernel it will first boot very very slow, then when the server comes up everything is very very slow. Then the load will go up to like 100 with nothing special going on in the server. It;s like its loaded down like that just with basic startup functions. You will see things like service_start processes long after startup. Cpanel takes forever to start up if it does. The server is extremely slow and unusable, you are lucky if you can edit grub.conf real quick and set the default kernel back.
It does this on every kernel...Besides the 2.6.24.3-grsec which in that case it boots right up fine and dandy. It acts like a regular server then, performs good.
So any other kernel besides the 2.6.24.3-grsec simply wont work on it. There are no logs in messages, nothing like that. I looked into things that may have been built only for the 2.6.24.3-grsec kernel but couldn't really find anything that should have made such an impact.