New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Prevent Linux User to Brute Force and Sending Massive Amount of Email Spam Out
Hello LowEndTalk users,
This is my second thread.
If you have a vps and have some users on that vps that used for vpn connection.
How to prevent the users to doing naughty things like brute force to other server and sending sending massive amount of email spam out?
I tried some prevention like block OUTPUT and INPUT to 22 and 25 port.
/sbin/iptables -A OUTPUT -p tcp --dport 22 -j DROP /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP
It's enough for this case problem?
This is my vps log: http://pastebin.com/UwQQGHnp
And this is my "netstat -ntulp": http://pastebin.com/CEMEfr11
Thank you.
Comments
https://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
You can set iptables rules by user. Little known fact, few people ever mention it.
I suppose the best way to get rid of the problem is to terminate the culprit - you don't want to have anything in common with such people.
Thank you for your response. In this case, is enough to block the 22 and 25 port?
My vps was suspended because sending massive amount of email spam out.
That's a good idea. How to get the naughty user?
In my vps I have more than 30 user that have an internet connection using openvpn.
You should test if those rules work -- I suspect you may need to use the FORWARD chain rather than INPUT/OUTPUT.
In order to detect who is doing it, use the LOG target before DROP.
e.g.
Did you find the source or are trying to use the firewall to stop the results from poor administration?
Thank you. I think blocked the 22 port is worked to prevent the user to brute force.
Last month my vps was suspended because brute force problem, I tried the
iptables -A OUTPUT -p tcp --dport 22 -j DROP
is worked and my vps is active in a month.In this month my vps was suspended again because smtp spamming. I hope blocked the 25 port is worked again.
things will get worse if they 'accidentically' forget about shutting down their torrent client and your provider is going to suspend you because of the complaints coming in...
You really do need to be finding the problem and dealing with it though, not just patching the holes that the outgoing abuses are going through. Wrong path leads to more headaches later. Pay for server management if you need to in the short term.
I haven't a torrent client in my vps. You can see my netstat: http://pastebin.com/CEMEfr11
The 10000 perl port I used for webmin.
30 users on a VPS used as a shared VPN? Don't say we didn't warn you about how bad of an idea this is
that's not what I am talking about.
if one of your users runs torrent on his computer while connected through you vpn, you most likely won't see much more than some higher udp ports connected in your netstat... oh, wait.
Thank you for your response. I used badvpn-udpgw for something like this: http://stackoverflow.com/questions/39477265/tunnel-dynamic-udp-port-range
I've read some tutorial, usually if used SSH tunnel for online games, udp must be installed on the vps.
I think the user can connect to torrent, but I don't allow it. I think blocking the torrent can't really be done effectively with port blocks, I found this discussion: http://security.stackexchange.com/questions/33983/what-are-the-tcp-udp-ports-used-by-torrent-applications
But than nothing to torrent blocking.
Blocking outgoing port 22 is pretty obnoxious.
yes. so what are you gonna do, if someone uses torrent anyways? seems like you can't even tell which on of your user sends brute force attacks or send spam mails.
you really should consider a VPN where you can log at least some headers and IPs... just saying that your provider won't be lucky if complaints and abuse notices keep on coming in ;-)
Is this why DO kicked you out?
Based on what I see incoming on port 22, more providers should be more obnoxious that way.
Hint 1: One doesn't block ever more ports but one block ALL of them and opens only those needed.
Hint 2: Modern firewalls typically have rate limiting features which allows your users to, for instance, ping occasionally but not to mount an attack.
Hint 3: Some problems are better taken care of on the application layer. There exist, for instance, http servers with rate limiting (and many other safety and control features)
Hint 4: Based on your question you lack the qualifcation to run a box with dozens of users (as opposed to a couple of well known friends). Keep away from things you do not understand well enough!
If this is just a web browsing vpn, just open port 80 and 443, as per @bsdguy's recommendation.
Keep in mind that won't stop abuse reports. Compromised Wordpress often commit plenty of abuse over port 80, brute forcing other WP installs or performing xmlrpc attacks.
Thank you. I think this way may fix my problem.
I think is not. I used the droplet for webserver, not vpn server.
After I research, I found some problem, my wordpress site in that droplet was hacked 2 times by "K3L0T3X alias Mathis" and "BALA SNIPER". I don't know is this why, but I think because this problem.
It'll at least reduce the abuse compared to having all ports open.
Well, under certain circumstances, if told in advance (before one signs up), okay (but then I wouldn't be interested in the first place).
But I'd be very annoyed if outgoing port 22 were suddenly blocked for everyone because of some abuser(s) on the system.