xperator's questions

Recently my servers started getting bombarded by anonymous scanners/brute forces.

This is how my nginx access.log looked like after the attacks :

xxx.xxx.xxx.xxx - - [07/Sep/2019:23:30:16 +0200] "GET /phpMyAdmin/index.php HTTP/1.1" 404 548 "-" "Mozilla/5.0..
xxx.xxx.xxx.xxx - - [07/Sep/2019:23:30:18 +0200] "GET /admin/index.php HTTP/1.1" 404 548 "-" "Mozilla/5.0..

Along with tons of other urls/admin pages/random names they tried to access. I did some research and fail2ban came up. So I installed it.

I left it on for some time but attacks were happening again. I realized the default [nginx-botsearch] does not catch all the attacks, not to mention it's log path was mis-configured.

I did some googling and settled on this custom filter:

# /etc/fail2ban/jail.local

[nginx-404-errors]
enabled = true
port     = http,https
logpath  = /var/log/nginx/*.log
maxretry = 2

# /etc/fail2ban/filter.d/nginx-404-errors.conf

[Definition]
failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$
ignoreregex =

This worked very well, but the attacker/s decided to hit the http. But the thing is I have a http to https redirection rule on nginx.

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

So now I'm getting tons of 301 redirections logs in access.log. I thought maybe I should just add a 301 to the regex I used above. So now it's :

failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400|301) .*$

The attacks has stopped for now. But I'm worried the normal visitors might get into trouble when trying to reach the site on http and fail2ban might pick on them.

Is this the way I should mitigate this kind of brute force attacks? Or am I supposed to take a different route?

I'm running a simple vpn server with these softwares:

• OpenVPN
• Shadowsocks
• MTProto Proxy

My server config is:

• Ubuntu 18.04 x64
• 512Ram, 1vCPU
• UFW firewall
• Netdata monitoring
• Nginx

It's been only few days since I started running the server. Problem is Netdata keeps sending me these 3 type of errors every few hours.

• "server needs attention, ipv4.udperrors (udp), 1m ipv4 udp receive buffer errors = 12 errors"
• "server needs attention, net_drops.tun0 (tun0), outbound packets dropped = 34 packets"
• "server needs attention, net_packets.tun0 (tun0), outbound packets dropped ratio = 0.33%"

I thought it's not that of a big deal so I ignored them.

I'm not sure if this is a firewall issue, a system bottleneck, or one of the 3 mentioned vpn softwares are not performing well.

I looked into almost every log file in /var/log but I couldn't find any error or problem before server went unreachable. I'm not sure if the server froze, or crashed. cause there is no log after a certain point. not until we did force a reboot.

I have this website that was working fine until recently. Now users are reporting that it's not opening in their iphones and ipads.

Doesn't matter what browser you try on iOS, it just won't work. Also it doesn't open in Safari when browsed on a Mac machine. Other browsers work fine though (Mac OSX only, not iOS).

Here is the server configuration:

DigitalOcean + Ubuntu 18.04 + Nginx + PHP 7.3 (Laravel) + Let's Encrypt SSL + HTTP2 activated

Before I explain further, I wanna mention that using the same type of configuration as above, I have another server which is running fine and is accessible from all devices. They are almost identical (in terms of config and setup) apart from domain name and ip address obviously.

Another tiny extra info which I think is worth mentioning, is that my users are located in Iran.

Here is a list of things that I've checked:

• The domain is accessible using ping command from iOS and Mac.
• The IP address itself is also accessible, and it can be used to browse the site, it will just show a "invalid ssl certificate" warning.
• The DNS that were used for the domain are all ping-able from iOS and Mac.
• If a VPN connection is used, the site can be accessed. Which is really weird because everything is technically reachable, the domain, the ip and the dns.
• Aside from using a VPN, the site can also be accessible if SSL is completely turned off/disabled.
• Other public websites that are using Let's Encrypt SSL are all accessible. So it can't be a Let's Encrypt issue.

Here is what I've tried so far:

• Tons of googling. I've even came across with a user with same type of issue on here and here and here
• I've tried disabling HTTP2.
• I've double checked my firewall settings, and even tried disabling it.
• I've tried disabling GZIP.
• I did a ssl test on ssllabs.com and it shows no problem and it's identical to my working server.
• Tried using keepalive_disable "safari" in nginx config
• I've tried swapping ssl_protocols values, like only accepting TLSv1.3 or dropping TLSv1.0
• Tried using ssl_session_cache
• Tried changing ssl_ecdh_curve to auto and secp384r1
• Tried changing ssl_ciphers to HIGH:!aNULL:!MD5; and EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
• Tried changing ssl_session_tickets to on and off
• Tried using Strict-Transport-Security
• Tried commenting /etc/letsencrypt/options-ssl-nginx.conf which is used by certbot
• Tried different HTTP to HTTPS redirect settings
• I made sure to use private tab when testing to make sure i'm not looking at a sort of faulty cached attempt to reach the site.
• I did service nginx reload & restart everytime I made a change to config files.
• I did lots of sudo reboots to make sure it's not a simple reboot issue.

As a final resort, I even went through the trouble of reinstalling the OS from scratch and setting up the server again. Still Doesn't work. And no I didn't copy my config files, I did every command manually and modified config files carefully to make sure I don't bring any problems from previous setup. This also means I did a fresh SSL request from Let's Encrypt (using cerbot). Although I don't know if they generate a new one or the send you the one from last time.

EDIT 1: I want to throw a random thought in here. I really don't know about advanced networking but maybe something from Iran censorship firewalls is meddling with the SSL connection and that causes Apple devices to fail establishing the connection. I heard Apple is strict in it's own way and requires a specific SSL connection unlike chrome and firefox. those 2 might ignore a slight error but Apple devices don't.

EDIT 2: I checked the Safari while Wireshark is tapping. It seems only few packets gets exchanged only no matter what I do. Also it seems Safari is using TLSv1.0 even though I've disabled it in nginx config. I really don't know how completely turn it off so Safari won't even try to use it to communicate with the server.

EDIT 3: I tried using a different SSL (using comodo's 3 month free ssl trial program) and the issue is still there... I read some people saying they resolved some similar issues after changing their SSL. I don't know why it's not working for me.

EDIT 4: I decided to change DNS servers of the domain to see if it's a DNS issue. I don't know why and how but after I changed them, Safari could load the site briefly. But after sometime it stopped working again.

EDIT 5: No luck with disabling external script codes in my site, like google analytics ( because their service is kinda blocked for Iranians ). Again, I read people reports implying that some fixed their issue by disabling external scripts.

EDIT 6: I'm starting to believe this is not a networking or server config issue on my part. It really looks like a 3rd party interfering with the request. I don't know about Apple and how it handles networking, but I think Apple connection/packeting negotiations is causing some sort of red flag so to speak and that makes Iranian censorship/firewall to drop the client connection.

EDIT 7: I even changed the server's datacenter, with a fresh new ip address. the issue still exists :(

EDIT 8: This is the /var/log/nginx/error.log output when it's set to debug. It shows these lines when I initiate a request from a Safari client.

I did try to disable php fpm to make sure it's not a php bottleneck issue. Also I tried to tweak some random parameters, like bumping net.core.somaxconn to 1024 or increasing backlog in php fpm config files. Also when I watch the system using htop everythink looks normal, no cpu usage spikes and no specific process jumping to top of the list.

EDIT 9: I swapped Nginx to Apache2 to check if it's a webserver issue. Well, it wasn't.

I've compiled nginx v1.9.6 from source on a debian(jessie v8.2) system. But it's not working as expected. Didn't have any problem with the 1.9.3 version.

when I try to run service nginx start i get this message:

Failed to start nginx.service: Unit nginx.service failed to load: No such file or directory.

I used these arguments for configuration:

configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=myuser --group=myuser --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_ssl_module --with-http_v2_module --with-file-aio --with-ipv6 --without-http_memcached_module

I currently have 2 vps running on the same provider and they serve web files.

server1.example.com

server2.example.com

I used glusterFS to create a file Replication system between 2 nodes. ( server1 is master and server2 is slave )

I am planning to add more servers. But I want them to be on different providers, So I can have better and more file availability.

How should I set them up? Are they supposed to be added as slave? Or maybe like this ?

server1.example.com (Master)

server2.example.com (Slave)

server3.example.com (Master to server4, and Slave to server1)

server4.example.com (Slave)

I am running Gluster-FS with a High-Availability Storage setup.

Both client and server nodes have NginX running to serve same files.

main.mysite.com
mirror1.mysite.com
..etc..

The problem is that the mirror nodes can't serve files because the owner and group is different.

The owner/group on main server is : web1:client0

and in order to make mirror nodes be able to serve files, their owner/group should be :

www-data:www-data

But because they're being copied from the main server, the owner/group attribute is same as web1:client0

What's the solution ?

I want to load balance + failover backup multiple vps webservers hosted on different providers.

I heard that for HAProxy you need multiple server under the same subnet, plus a shared (virtual) ip address between load balancers.

But it's not possible in my case cause every VPS is on different node/network.

1. Is there a way to use HAProxy in this kind of setup ? ( Please explain how briefly, I don't want to hear your "YES" answer )
2. What about NginX? Is it possible to achieve same result with Nginx ? (when servers are located on different nets)

I know about Round Rubin DNS, but it doesn't provide a real failover solution, neither a load balance between servers.

I am trying to write a front-end for sending faxes in PHP. I want to know how can I get the status of a fax job.

When the user sent a fax, how can I report the status of the job to the user ? In case when the destination line was busy, unreachable, etc.

Is there any log file or a command that contains the status of a specific fax job which is transfer-able to the front-end ? So I can report back the success/failed message to user.

I know about faxstat -d, but it's a report for all jobs and i can't fetch that on php side.

As you can see the format of output is not something that can be parsed easily.

Just for reference, here is the list of all status codes.

I had a look at Hylafax's documentation but couldn't find anything on how to trace a job status.

A client asked for a web to fax application written in php. But I have no idea how to do this.

I believe php or any other web application can't communicate with the modem directly. So there should be some sort of service or daemon handling the job and be the line between web interface and modem.

Tried googling things a bit and some words like HylaFAX and AvantFax came out. Still can't figure out.

I prefer writing the web interface myself to have custom language support and better user experience.

So in the end what I am asking is how to achieve a web to fax application from scratch. From setting up server and making the web application. Even some directions would help.

I want to know is there a way to make a snapshot-like backup of a linux system into a single file and restore it in another system ?

You know in windows there are programs which makes a copy of a drive (like C:\ ) into a single image file. So you can restore this file later incase you are infected or something happens.

Every time I want to migrate my vps into another host, I have to setup the new server from scratch and move the files manually. Can I just make a snapshot backup of the whole system and restore it somewhere else (or on the same server) ?

I am not familiar with linux and I have no idea if this is technically possible or not ? Does the paritions, configs, system files,etc... are individual for each system ?

I heard about rsync, but that's not what I am looking for.

Installed on Debian 6 - 64bit. Webserver : Nginx

Here is what I did so far:

1. apt-get install cacti and apt-get install snmpd
2. chmod 644 /etc/cacti/debian.php
3. Set date.timezone in php.ini
4. Added extension=gd.so in php.ini
5. Tried running php poller.php

I just want to prevent nmap and packets that are considered harmful to my VPS (Setup : Debian - Nginx webserver). After applying these rules and disconnecting from ssh I couldn't reconnect anymore.

So I contacted the provider and asked them to flush the rules from backend. Can someone tell me which rules are wrong, or bad configured ? Is there any unnecessary rules in there which is not needed ?

I gathered these form a question named "Iptabled tips and tricks" and I thought it would neglect any kind of packet attack.

iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 7/s -m recent --name blacklist --set -j DROP
iptables -A INPUT -m recent --rcheck --nam blacklist -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
iptables -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --set
iptables -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10

I have a VPS running Ngix and currently hosting a few websites. As you know VPS have low resource and the security measures should be done by client.

I just noticed many stress tools are out there which can cause a webserver crash or the server eats full resources which can end up hanging. I have got LoadUI in my windows pc. There are even online similar services too, like LoadImpact.com

It doesn't even need to run 10 or thousands tools at the same time, Even just a kid can enter the domain name in these tools and run the test with tons of concurrent connections and make full use of server bandwidth, hardware resources,etc..

I want to know How should I prevent these flooding attacks ? Is it something should be handled by Iptables ? Or Nginx ?

I learned how to compile nginx with mp4 module. I also added proper directive in my website conf.

I am trying to play a mp4 using JW player and flow player. But the video doesn't buffer and play like youtube and similar sites. It takes a long time to start play. It seems it downloads the whole video and then plays it. I have tried changing the buffer limits but no luck.

I downloaded a youtube video and tried comparing it with my own video. The video from youtube starts playing immediate but my converted video doesn't. Maybe nginx only plays mp4 files in a specific codec and format ?

Note that I am not making a tube site or anything similar. So please don't suggest to migrate from nginx.

I have 2 website running on VPS. Their purpose is sharing music files and publishing news. Both of them use wordpress.

What I am trying is that I want to prevent little hackers from flooding the webserver and putting stress on the server to make it crash.

The problem is that after using limit_req_zone and limit_req my website became very slow. Browsing Wordpress control panel takes a long long time. I tried changing values but it didn't improve much. I guess the problem is Wordpress because it's the only script I am using on both front and back end.

Here is the last setting which seems to be more responsive than others :

limit_req_zone $binary_remote_addr zone=flood:5m rate=10r/m;

location ~ \.php$ {
limit_req   zone=flood burst=100 nodelay;
}

What are the optimal values that should be used in my case (wp) ? I want the website have it's normal behavior, On the other hand stopping lifeless people from flooding.

Another question, Is it safe and enough to use limit_req only on php files ?

Is there a way to enable this module on nginx ? http://wiki.nginx.org/HttpMp4Module

I have already many domains running on nginx and I can't just remove it and rebuilt everything .

I tried downloading latest nginx, and do ./configure --with-http_mp4_module and makethen make install but it didn't worked. Also I am afraid that this recompile process will delete all my conf and domain settings.