My new Linode is regularly being attacked
#152 Henry, Wednesday, 20 June 2012 11:53 PM (Category: Network)
(Tags: linode attack wordpress)

Ever since I set it up, I noticed that I am being attacked about twice a day by people attempting to get in via one method or another.

Ssh attacks have been blocked by using authorised keys only.

I stop POP and IMAP attacks, after the event, by my daily check of the system logs, and adding the IP addresses to the firewall.

Tonight I noticed a new attack. I happened to log in just as an attack was taking place. Logging in took a long time, and that's a bad sign. As soon as I could get a command line, I ran top. All that showed was that the maximum number of httpd processes were running, and CPU was being chewed up. So someone was doing something with Apache. I stopped top, that took a couple of minutes, changed directory to my Apache logs, and that took a couple more minutes. I tailed the access logs and saw two differerent attacks doing different things.

Number one guy was doing this repeatedly: - - [20/Jun/2012:22:37:05 -0400] "-" 408 - "-" "-"

Number two guy was doing this repeatedly: - - [20/Jun/2012:22:26:40 -0400] "POST /wp-login.php
HTTP/1.1" 500 251 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101

He's repeatedly trying to login to my blog. It's a Wordpress blog, so it's pretty common, and everyone knows it, and they know its vulnerabilities, and they probably have standard attack techniques.

I added both their IP addresses to my firewall blacklist, and that took about 5 minutes to achieve, then applied the new rules. Number one guy immediately disappeared. But number two guy kept hammering at me. Strange. He must have opened a socket connection once and be repeatedly hammering me on that same connection. And then I remembered adding a new option to my firewall to keep existing connections open. No wonder. Things were still very slow, so I restarted Apache which broke the connection, and then he was locked out. The system rapidly got under control and became responsive again.

I removed that rule about open connections in my firewall. When I lock someone out, I want that applied immediately.

I checked my system logs for any other activity and found this notice about number two attacker tonight:

kernel: TCP: Possible SYN flooding on port 80. Sending cookies.

Interesting. I'll have to be on guard for that in future. It was pure luck I logged on at the right time. It was time for my regular check of the logs. If I hadn't logged in then, Linode would have eventually sent me an email alerting me to high CPU activity, and then I would have logged in and fixed it. I have adjusted the thresholds of the CPU alerts so I will get earlier alerts.

Linode also recommend using fail2ban, which monitors your log files, recognises attacks of various sorts, and adds the offending IP addresses to the firewall. This is what I do manually, but fail2ban does it all day long, and blocks them very rapidly. They even have a Slackware package of fail2ban. I will get this installed as a priority.

I went through every login system on my system, made sure I had no default administrator logins around, strengthened passwords everywhere, checked everything else I could think of, and just fussed about the system. I will have to be more vigilant.