Submitted by nosco on Thu, 10/10/2013 - 14:19 Pro Licensee
Hello,
i got report that my server is used in ddos attacks. I have cloudmin installed there. Can you give me some instructions how to avoid that? best practice regarding cloudmin?
Status:
Closed (fixed)
Comments
Submitted by andreychek on Thu, 10/10/2013 - 15:03 Comment #1
Howdy -- usually, what you're describing occurs if a system account or a website is compromised in some way.
Did this issue occur on your Cloudmin host, or was it with one of the VPS's that Cloudmin manages?
If it was on the Cloudmin host -- do you have any other websites installed on that particular system?
Submitted by nosco on Fri, 10/11/2013 - 05:09 Pro Licensee Comment #2
Hi,
on cloudmin host, yes i have on subdomin a backuppc web access. ATM I did narrow recursion and queries only to know hosts (VPS IPs and my other servers) and of course my backups web site doesn't work. If I allow queries from "any", will that compromise DNS again? Also backupPC web has .htpassword authentification so I'm not sure if it possible to misuse that site for ddos attack?
Start Time Finish Time IP AS Country Last Protected Peak Rate/s Total Count Attack Vector 08 Oct 05:18:34 08 Oct 07:21:39 176.9.2.61 24940 DEU 77.66.30.225 16 28377 Blocked Protocol - Temp Black-Listed
Submitted by andreychek on Fri, 10/11/2013 - 09:55 Comment #3
Unfortunately, the information they provided you regarding the attack isn't enough to understand what the cause of the issue might be.
Did they give you any additional information, such as the type of attack, or what protocol was used?
If your BackupPC application has a .htaccess in front of it, that should prevent from attackers from gaining access to it.
If your DNS server doesn't need to be recursive, it'd generally best to leave that option disabled.
If you log into your server, and run the command "last -a", do you see any unusual activity? Anyone accessing accounts from IP addresses you don't recognize?
Submitted by nosco on Mon, 10/21/2013 - 01:58 Pro Licensee Comment #4
No. Nothing.
I can see that in last few month there is high activity on dns attacks. I have tried to implement ratelimits in config file, but it's not implemented in bind 9, at least not on Ubuntu. (http://www.redbarn.org/dns/ratelimits)
Is there any other type of DNS protection; like CSF or something?
Thanks,
Kristijan
p.s. I didn't got new complaint for DDOS so maybe disabling recursion did the trick.
Submitted by andreychek on Mon, 10/21/2013 - 19:05 Comment #5
It looks like the ratelimits on that website are a third-party patch for BIND, and aren't included by default with BIND as of yet.
It's difficult to say what the issue might have been, or how exactly to prevent it in the future -- but since you haven't received additional complaints, that's great news.
For the time being, I might recommend just monitoring your logs, and keeping an eye out for new complaints.
Submitted by nosco on Wed, 11/27/2013 - 04:15 Pro Licensee Comment #6