Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Prevent Linux User to Brute Force and Sending Massive Amount of Email Spam Out
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Prevent Linux User to Brute Force and Sending Massive Amount of Email Spam Out

eofsayeofsay Member
edited March 2017 in Help

Hello LowEndTalk users,

This is my second thread.
If you have a vps and have some users on that vps that used for vpn connection.
How to prevent the users to doing naughty things like brute force to other server and sending sending massive amount of email spam out?

I tried some prevention like block OUTPUT and INPUT to 22 and 25 port.
/sbin/iptables -A OUTPUT -p tcp --dport 22 -j DROP /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP

It's enough for this case problem?

This is my vps log: http://pastebin.com/UwQQGHnp

And this is my "netstat -ntulp": http://pastebin.com/CEMEfr11

Thank you.

Comments

  • jarjar Patron Provider, Top Host, Veteran
  • ClouviderClouvider Member, Patron Provider

    I suppose the best way to get rid of the problem is to terminate the culprit - you don't want to have anything in common with such people.

    Thanked by 2eofsay Falzo
  • @jarland said:
    https://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html

    You can set iptables rules by user. Little known fact, few people ever mention it.

    Thank you for your response. In this case, is enough to block the 22 and 25 port?
    My vps was suspended because sending massive amount of email spam out.

  • @Clouvider said:
    I suppose the best way to get rid of the problem is to terminate the culprit - you don't want to have anything in common with such people.

    That's a good idea. How to get the naughty user?
    In my vps I have more than 30 user that have an internet connection using openvpn.

  • jackbjackb Member, Host Rep
    edited March 2017

    You should test if those rules work -- I suspect you may need to use the FORWARD chain rather than INPUT/OUTPUT.

    In order to detect who is doing it, use the LOG target before DROP.

    e.g.

    iptables -A FORWARD -p tcp --dport 22 -m limit --limit 10/minute --limit-burst 10 -j DROP # Don't log < 10/minute, but do drop it
    iptables -A FORWARD -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5 -j LOG --log-prefix "ssh-block "
    iptables -A FORWARD -p tcp --dport 22 -j DROP
    
    Thanked by 2eofsay Falzo
  • Did you find the source or are trying to use the firewall to stop the results from poor administration?

  • @jackb said:
    You should test if those rules work -- I suspect you may need to use the FORWARD chain rather than INPUT/OUTPUT.

    Thank you. I think blocked the 22 port is worked to prevent the user to brute force.
    Last month my vps was suspended because brute force problem, I tried the iptables -A OUTPUT -p tcp --dport 22 -j DROP is worked and my vps is active in a month.

    In this month my vps was suspended again because smtp spamming. I hope blocked the 25 port is worked again.

  • FalzoFalzo Member
    edited March 2017

    @eofsay said:

    things will get worse if they 'accidentically' forget about shutting down their torrent client and your provider is going to suspend you because of the complaints coming in...

  • jarjar Patron Provider, Top Host, Veteran

    You really do need to be finding the problem and dealing with it though, not just patching the holes that the outgoing abuses are going through. Wrong path leads to more headaches later. Pay for server management if you need to in the short term.

  • @Falzo said:

    @eofsay said:

    things will get worse if they 'accidentically' forget about shutting down their torrent client and your provider is going to suspend you because of the complaints coming in...

    I haven't a torrent client in my vps. You can see my netstat: http://pastebin.com/CEMEfr11

    The 10000 perl port I used for webmin.

  • doughmanesdoughmanes Member
    edited March 2017

    30 users on a VPS used as a shared VPN? Don't say we didn't warn you about how bad of an idea this is

    Thanked by 2eofsay jar
  • FalzoFalzo Member

    @eofsay said:

    @Falzo said:

    @eofsay said:

    things will get worse if they 'accidentically' forget about shutting down their torrent client and your provider is going to suspend you because of the complaints coming in...

    I haven't a torrent client in my vps. You can see my netstat: http://pastebin.com/CEMEfr11

    The 10000 perl port I used for webmin.
    @eofsay said:

    @Falzo said:

    @eofsay said:

    things will get worse if they 'accidentically' forget about shutting down their torrent client and your provider is going to suspend you because of the complaints coming in...

    I haven't a torrent client in my vps. You can see my netstat: http://pastebin.com/CEMEfr11

    The 10000 perl port I used for webmin.

    that's not what I am talking about.

    if one of your users runs torrent on his computer while connected through you vpn, you most likely won't see much more than some higher udp ports connected in your netstat... oh, wait.

    Thanked by 1inthecloudblog
  • @Falzo said:
    if one of your users runs torrent on his computer while connected through you vpn, you most likely won't see much more than some higher udp ports connected in your netstat... oh, wait.

    Thank you for your response. I used badvpn-udpgw for something like this: http://stackoverflow.com/questions/39477265/tunnel-dynamic-udp-port-range

    I've read some tutorial, usually if used SSH tunnel for online games, udp must be installed on the vps.

    I think the user can connect to torrent, but I don't allow it. I think blocking the torrent can't really be done effectively with port blocks, I found this discussion: http://security.stackexchange.com/questions/33983/what-are-the-tcp-udp-ports-used-by-torrent-applications

    But than nothing to torrent blocking.

  • Blocking outgoing port 22 is pretty obnoxious.

    Thanked by 1angstrom
  • FalzoFalzo Member

    eofsay said: But than nothing to torrent blocking.

    yes. so what are you gonna do, if someone uses torrent anyways? seems like you can't even tell which on of your user sends brute force attacks or send spam mails.

    you really should consider a VPN where you can log at least some headers and IPs... just saying that your provider won't be lucky if complaints and abuse notices keep on coming in ;-)

  • @eofsay said:
    Hello LowEndTalk users,

    This is my second thread.
    If you have a vps and have some users on that vps that used for vpn connection.
    How to prevent the users to doing naughty things like brute force to other server and sending sending massive amount of email spam out?

    I tried some prevention like block OUTPUT and INPUT to 22 and 25 port.
    /sbin/iptables -A OUTPUT -p tcp --dport 22 -j DROP /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP

    It's enough for this case problem?

    This is my vps log: http://pastebin.com/UwQQGHnp

    And this is my "netstat -ntulp": http://pastebin.com/CEMEfr11

    Thank you.

    Is this why DO kicked you out?

    Thanked by 2Falzo lazyt
  • @willie said:
    Blocking outgoing port 22 is pretty obnoxious.

    Based on what I see incoming on port 22, more providers should be more obnoxious that way.

  • Hint 1: One doesn't block ever more ports but one block ALL of them and opens only those needed.
    Hint 2: Modern firewalls typically have rate limiting features which allows your users to, for instance, ping occasionally but not to mount an attack.
    Hint 3: Some problems are better taken care of on the application layer. There exist, for instance, http servers with rate limiting (and many other safety and control features)
    Hint 4: Based on your question you lack the qualifcation to run a box with dozens of users (as opposed to a couple of well known friends). Keep away from things you do not understand well enough!

    Thanked by 1eofsay
  • If this is just a web browsing vpn, just open port 80 and 443, as per @bsdguy's recommendation.

    Thanked by 1eofsay
  • jarjar Patron Provider, Top Host, Veteran

    Keep in mind that won't stop abuse reports. Compromised Wordpress often commit plenty of abuse over port 80, brute forcing other WP installs or performing xmlrpc attacks.

    Thanked by 1eofsay
  • @bsdguy said:

    @teamacc said:
    If this is just a web browsing vpn, just open port 80 and 443, as per @bsdguy's recommendation.

    @jarland said:
    Keep in mind that won't stop abuse reports. Compromised Wordpress often commit plenty of abuse over port 80, brute forcing other WP installs or performing xmlrpc attacks.

    Thank you. I think this way may fix my problem.

    @chinmoy said:
    Is this why DO kicked you out?

    I think is not. I used the droplet for webserver, not vpn server.
    After I research, I found some problem, my wordpress site in that droplet was hacked 2 times by "K3L0T3X alias Mathis" and "BALA SNIPER". I don't know is this why, but I think because this problem.

  • @jarland said:
    Keep in mind that won't stop abuse reports. Compromised Wordpress often commit plenty of abuse over port 80, brute forcing other WP installs or performing xmlrpc attacks.

    It'll at least reduce the abuse compared to having all ports open.

  • angstromangstrom Moderator

    @impossiblystupid said:

    @willie said:
    Blocking outgoing port 22 is pretty obnoxious.

    Based on what I see incoming on port 22, more providers should be more obnoxious that way.

    Well, under certain circumstances, if told in advance (before one signs up), okay (but then I wouldn't be interested in the first place).

    But I'd be very annoyed if outgoing port 22 were suddenly blocked for everyone because of some abuser(s) on the system.

Sign In or Register to comment.