Morning, DDOS OUTAGE!! I had a few outages last year where i was the victim on a ddos attack, last time was november 2023 and i was off for a month. I reached out to the ISP and they were as good as a chocolate teapot in a hot summers day... last 2 weeks i had a 24 outage and friday gone 8-nov-24 at 16.40 the attack started again, i unplugged my server switch isolating them, my modem is a draytek 2865 and this fell to its knees as it couldn't handle the traffic. But this time i knew how to wireshark all data from the modem to my pc to clone it via port 5 of the router, but to set it i had to unplug the WAN, i could see the volume of the attack - huge!! saturday i build a pfsense and monitored realtime and the only thing connected was pfsense, everything else disconnected, you couldnt read the logs as it went passed too quickly, i had to update the log count from 7 rotations to 50 as the volume was huge. anyway, contacted the new isp on monday morning and get a new range of IP's.. I was contacted by a chap on monday stating they have a SOC behind them and the volume of traffic killed their data centre - NOW IM DEAD CONCERNED!!!!. All my IP addresses 16 of them, were used to send the following spam email's: Code: 88.97.88.94 88-97-88-94.dsl.zen.co.uk 743.89 M 9.12 M 7.27 M 88.97.88.80 88-97-88-80.dsl.zen.co.uk 728.35 M 8.93 M 7.10 M 88.97.88.87 webmail.tlwebservices.co.uk 721.03 M 8.84 M 7.03 M 88.97.88.83 mx1.tlwebservices.co.uk 458.88 M 5.62 M 4.46 M 88.97.88.84 mx2.tlwebservices.co.uk 458.59 M 5.62 M 4.46 M 88.97.88.91 88-97-88-91.dsl.zen.co.uk 459.21 M 5.49 M 3.63 M 88.97.88.90 web04.tlwebservices.co.uk 325.18 M 4.06 M 3.61 M 88.97.88.92 web05.tlwebservices.co.uk 287.39 M 3.57 M 3.13 M 88.97.88.93 88-97-88-93.dsl.zen.co.uk 168.58 M 2.06 M 1.62 M 88.97.88.95 88-97-88-95.dsl.zen.co.uk 168.84 M 2.06 M 1.62 M 88.97.88.81 panel.tlwebservices.co.uk 168.91 M 2.06 M 1.62 M 88.97.88.88 web02.tlwebservices.co.uk 168.78 M 2.06 M 1.62 M 88.97.88.89 web03.tlwebservices.co.uk 168.73 M 2.06 M 1.62 M 88.97.88.82 web01.tlwebservices.co.uk 168.60 M 2.06 M 1.62 M 88.97.88.85 ns1.tlwebservices.co.uk 168.75 M 2.06 M 1.62 M 88.97.88.86 ns2.tlwebservices.co.uk 168.49 M 2.06 M 1.62 M 88.97.88.96 88-97-88-96.dsl.zen.co.uk 215.74 M 2.55 M 1.54 M - my issue is i unplugged the switch connecting to the servers killing them dead at about 17.00 on friday, how could they send out that volume to kill a SOC data centre. I do believe the attack was a dns hijack style, but how do i trust my server contents? My user password had been changed to a generated 22 char password, I setup daily rkhunter scan, scheduled it daily with a email report and they look safe (at the time last week). On the day i upped fail2ban to ban for either 2 weeks or 2 months and was rolling that out to all servers, just as the attack happened. If i have a evil binary or a rouge thingy, how do i find it? as i thought rkhunter would have seen it or is it as i assume the attack hijacked my IP's upstream and was bouncing the crap load of emails out to the wide web.. The SOC did report to me the attack seemed to originate from germany, they mentioned routing in countried USA, Brazil, Russia and originating from downtowniciny.com (dont go there) and orangeconnection.org (dont go there), im reporting what they said. FIX I have pfsense+ with support now and want to configure it - any advice is welcome I want to have the hostname's of my servers through cloudflare to stop these attacks. advice welcome dave
Use Cloudflare if you get DDOS attacks. PFSense will not help you if the attack overwhelms the capacity of your ISP.
Hey Till Do you have experience in setting it up? It has a proxy option.. so do i leave that on? and i have read other posts on the forum here that i dont need my dns servers, as im hosting website from panel. do i ad everything via cloudflare or add as normal through my panel . thanks
You must use the proxy option; otherwise, your system will not be protected. Take care to enable it for websites and URL's only that you access by http and https. You must use Cloudflare DNS, you can not use your own DNS server.
so adding client website to ispconfig is normal though panel, but client domain in via dns the client domain where purchased i add cloudflare as a nameserver and in cloudflare add their domain. is that right
i am migrating mailboxes from old system to new. I have to use local IP - 10.0.0.69 - 10.0.0.80 range. im using imapsync, but i dont know the passoword for 1 of them. I thought to get panel talkinh back to the rest of the nodes, IP address changes - from an 89.0.0.0 range to local 10.0.0.0 range. I have updated the Code: /etc/hosts file with the new range, but panel does not communicate with the nodes.. Do i have to dive in to mysql on panel and update the users?
If you do not know the password of an account, then you just set a new one. Passwords can not be decoded from the hashes in the database. You must update the mysql root and ispcsrv* users in master database. The best is to use under editor in phpmyadmin for this as the üermissions are spread over many tables in mysql.mysql database.
im running imapsync to send email from 1 server to another. It was working, but since getting the nodes chatting i now cannot. this is the error Code: Info: will resync flags for already transferred messages. Use --noresyncflags to not resync flags. Host1: probing ssl on port 993 ( use --nosslcheck to avoid this ssl probe ) Host1: sslcheck did not detected open ssl port 993. Will use standard 143 port. Host2: probing ssl on port 993 ( use --nosslcheck to avoid this ssl probe ) Host2: sslcheck detected open ssl port 993 so turning ssl on (use --nossl2 --notls2 to turn off SSL and TLS wizardry) SSL debug mode level is --debugssl 1 (can be set from 0 meaning no debug to 4 meaning max debug) Host2: SSL default mode is like --sslargs2 "SSL_verify_mode=0", meaning for host2 SSL_VERIFY_NONE, ie, do not check the server certificate. Host2: Use --sslargs2 SSL_verify_mode=1 to have SSL_VERIFY_PEER, ie, check the server certificate. of host2 Info: turned ON syncinternaldates, will set the internal dates (arrival dates) on host2 same as host1. Host1: will try to use LOGIN authentication on host1 Host2: will try to use LOGIN authentication on host2 Host1: imap connection timeout is 120 seconds Host2: imap connection timeout is 120 seconds Host1: imap connection keepalive is on on host1. Use --nokeepalive1 to disable it. Host2: imap connection keepalive is on on host2. Use --nokeepalive2 to disable it. Host1: IMAP server [10.0.0.71] port [143] user [email@email] Host2: IMAP server [mx1......co.uk] port [993] user [email@email] Host1: connecting and login on host1 [10.0.0.71] port [143] with user [email@email] Host1 IP address: 10.0.0.71 Local IP address: 192.168.1.32 Host1 banner: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SPECIAL-USE XLIST LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready. Host1 capability before authentication: IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SPECIAL-USE XLIST LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH Host1: going to ssl because STARTTLS is in CAPABILITY. Use --notls1 or --notls2 to avoid that behavior DEBUG: .../IO/Socket/SSL.pm:850: local error: SSL connect attempt failed error:0A00010B:SSL routines::wrong version number DEBUG: .../IO/Socket/SSL.pm:853: fatal SSL error: SSL connect attempt failed error:0A00010B:SSL routines::wrong version number Host1 failure: Can not go to tls encryption on host1 [10.0.0.71]: Unable to start TLS: SSL connect attempt failed error:0A00010B:SSL routines::wrong version number Host2: connecting and login on host2 [mx1.......co.uk] port [993] with user [email@email] Host2 IP address: xx.xx.xx.xx Local IP address: 192.168.1.32 Host2 banner: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SPECIAL-USE XLIST LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready. Host2 capability before authentication: IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SPECIAL-USE XLIST LITERAL+ AUTH=PLAIN AUTH=LOGIN AUTH Host2: mx1.......co.uk says it has CAPABILITY for AUTHENTICATE LOGIN Host2: success login on [mx1........co.uk] with user [email@email] auth [LOGIN] or [LOGIN] ++++ Listing 1 errors encountered during the sync ( avoid this listing with --noerrorsdump ). Err 1/1: Host1 failure: Can not go to tls encryption on host1 [10.0.0.71]: Unable to start TLS: SSL connect attempt failed error:0A00010B:SSL routines::wrong version number The most frequent error is ERR_EXIT_TLS_FAILURE. Exiting with return value 12 (EXIT_TLS_FAILURE) 1/50 nb_errors/max_errors PID 368378 Removing pidfile /tmp/imapsync.pid Disconnecting from host2 mx1........co.uk user2 email@email Also.. the mx1.. has 722 jobs remaining.. this maybe why. investigating them now.
##UPDATE Code: tail -f /var/log/mail.log mx1 dovecot: doveadm: Error: SSL context initialization failed, disabling SSL: Can't load SSL private key (ssl_key setting): Key is for a different cert than ssl_cert ##SOLVED I removed SSL cert using acme.sh --remove -d server.mydomain.com Deleted folder rm -rf /root/.acme.sh/server.mydomain.com Re-run ISPConfig updater still falling back to self-signed, this time i get verify error / connection refused courtesy of https://forum.howtoforge.com/thread...private-key-ispserver-key-do-not-match.90049/
