I have an older Typo3 (v4.5.x) site and since a while my server is under attack by a script kiddie. He sends quite some PHP requests of URLs which do not exists on my server. I got so many PHP 500 errors back and after a while the number of parallel php processes are exceeding the limit and my site is down and unreachable for a while.

Any idea what I can do? How can I avoid that such non-existent URLs get not processed?

If I looking at these requests and google around there are all about some vulnerabilites of wordpress or joomla. Does anybody know if there exists some lists of such kind of requests which can be added to a filter/blocking lists on apache level? i.e.

• templates/atomic/system.php
• wp-content/languages/system.php
• wp-admin/images/system.php
• plugins/captcha/jproicaptcha.php
• modules/cgi.php
• modules/mod_articless/func.php
• tmp/install.css.php
• ...

Dear all I am using Fail2Ban v0.8.13 on CentOS 6 system in order to protect my Postfix servers. Basically it works so after 5 wrong login attempts on SMTP I get banned.

Fail2Ban Jail conf

 [sasl-iptables]
 enabled  = true
 filter   = sasl
 backend  = polling
 action   = iptables[name=sasl, port=smtp, protocol=tcp]
       sendmail-whois[name=sasl, [email protected],  [email protected]]
logpath  = /var/log/maillog
maxretry = 5

My sasl settings in main.cf

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

My smtp.conf (Postfix)

pwcheck_method: saslauthd
mech_list: login CRAM-MD5 DIGEST-MD5

My EHLO Status (Postfix)

EHLO mail.xxx.ch
250-mail.xxx.ch
250-PIPELINING
250-SIZE 50480000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 DIGEST-MD5
250-AUTH=LOGIN CRAM-MD5 DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

The issue I have is that when I send with MS Outlook 2016 five times successfully a mail the 6th mail get blocked.

I assume it is an issue because Outlook tries mutliple auth methods and some of them fail before login successully in to SMTP Postfix server

Has somebody an idea how I can solve this problem, e.g. so the counter of Fail2Ban get resetted after successful login? Or how can I optimize postfix sasl settings so outlook has not to try mutliple auth methods until one works? So according the log file it fails on MD5 Digest Method and then switches over to Login method.

extract from maillog (postfix)

Mar  8 23:38:44 postfix/smtpd[9295]: setting up TLS connection from   84-74-210-140.dclient.hispeed.ch[84.74.210.140]
Mar  8 23:38:44 postfix/smtpd[9295]: Anonymous TLS connection established from 84-74-210-140.dclient.hispeed.ch[84.74.210.140]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar  8 23:38:44 postfix/smtpd[9295]: warning: SASL authentication failure: realm changed: authentication aborted
Mar  8 23:38:44 postfix/smtpd[9295]: warning: 84-74-210-140.dclient.hispeed.ch[84.74.210.140]: SASL DIGEST-MD5 authentication failed: authentication failure
Mar  8 23:38:45 postfix/smtpd[9295]: 0AF2127E0113: client=84-74-210-140.dclient.hispeed.ch[84.74.210.140], sasl_method=LOGIN, sasl_username=xxxx

as requested from the discussion below I added the relevant filters from Fail2ban

postfix-sasl.conf

   failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

sasl.conf

   failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

I am using openvpn. Once the clients are connected, I would like that they can be addressed by using the names instead of the ip addresses.

e.g. instead of "ping 10.8.0.2" I can use "ping client-name"

How can I achieve that?

I am using openvpn 2.3 on a centos 6.5. I also installed dnsmasq.

I set up openVPN 2.3 on a centOS 6.5 system I could connect with my windows client to the server. client gets IP address and DNS entries but when I like to access the internet with my client it does not work.

I have set the "net.ipv4.ip_forward = 1" in "/etc/sysctl.conf". And added the firewall rule "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE".

A "tracert 8.8.8.8" ony my client ends into a timeout.

Any hints or suggestions I can try? Thanks

Please find below my IPTable onfiguration

# Generated by iptables-save v1.4.7 on Sat Feb 13 16:18:46 2016
*mangle
:PREROUTING ACCEPT [2300:167838]
:INPUT ACCEPT [2300:167838]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1911:1150640]
:POSTROUTING ACCEPT [1911:1150640]
COMMIT
# Completed on Sat Feb 13 16:18:46 2016
# Generated by iptables-save v1.4.7 on Sat Feb 13 16:18:46 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15:1699]
:fail2ban-SSH - [0:0]
:fail2ban-sasl - [0:0]
:fail2ban-submission - [0:0]
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-sasl
-A INPUT -p tcp -m tcp --dport 587 -j fail2ban-submission
-A INPUT -p tcp -m tcp --dport 2022 -j fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-sasl
-A INPUT -p tcp -m tcp --dport 587 -j fail2ban-submission
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 3306 -m state --state     NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fail2ban-SSH -j RETURN
-A fail2ban-sasl -j RETURN
-A fail2ban-submission -j RETURN
COMMIT
# Completed on Sat Feb 13 16:18:46 2016
# Generated by iptables-save v1.4.7 on Sat Feb 13 16:18:46 2016
*nat
:PREROUTING ACCEPT [88:5707]
:POSTROUTING ACCEPT [29:2145]
:OUTPUT ACCEPT [29:2145]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Completed on Sat Feb 13 16:18:46 2016

I installed the PHP extension APC on the server but I get it not running. It gets not listed in phpinfo(). After activating the php error log I get the following error:

PHP Startup: Unable to load dynamic library '/var/www/vhosts/chroot/usr/lib64/php/modules/apcu.so: undefined symbol: php_pcre_exec in Unknown on line 0

I am using the following versions Ubuntu 14.04.3 / PHP 5.6.13 / Apache 2.4.7

The installation has been made with:

 sudo apt-get install php-apc

In phpinfo I don't see any extension for apc. I jsut see that the following files has been added "/etc/php5/apache2/conf.d/20-apcu.ini" which seems to get parsed in addition to php.ini and in the ini file is

 extension=apcu.so

The apcu.so file has been installed through apt-get and is in

/usr/lib/php5/20121212/apcu.so

/var/www/vhosts/chroot/usr/lib64/php/modules/apcu.so

any hints how this error "undefined symbol: php_pcre_exec" can be solved. Which additional libraries are missing?

I try to exclude a sub-url "/shop/api" from my protected website. It worked fine on different server on Apache/2.2.15 but now not with Apache/2.4.7? It always asks for the basic authentication. Any Idea what I did wrong?

AuthType Basic
AuthName 'Authentication required'
AuthUserFile /var/www/vhosts/pwd/.htpasswd

# Allow access to excluded diretories
SetEnvIf Request_URI ^/shop/api/  noauth=1
Order deny,allow
Satisfy any
Deny from all
Require valid-user
Allow from env=noauth