Hello, Thanks in advance for reading through this post. This morning, all of a sudden, I can no longer send/receive email using Evolution via Ubuntu (my client) using an email account I've been using successfully since the installation/configuration of my Debian Etch LAMP server. I can, however access this email account via SquirrelMail. I've checked through the following logs: auth.log *I was being hammered by a Brute Force attack (I believe) so I blocked the IP who was slamming my server every two minutes trying different usernames. mail.info I noticed that every 30 minutes an email was sent by a user account that should not be sending system-level alert emails. I believe these coincide with emails I received every half-hour this morning: Warning: service httpd not running (server: <server>)! Message generated at December 9, 2007, 9:00. I deleted the user account shown in the mail.info log and tried to restart HTTPD but to no avail. syslog 9 13:37:58 <hostname> ntpd[2436]: no servers reachable *This was distressing to me I'm still in the learning process administering a Linux box so I'm not the most advanced "detective" in deciphering the logs. Secondly, when rebooting (multiple times), under the "ABSOULTELY NO WARRANTY" blurb, it displayed: No mail. Also, when I accessed ISPConfig, under Management --> Server --> Services, SMTP was offline even though the SMTP Server drop-down menu showed it was "On". I restarted it and in this same panel, SMTP-Server status became "Online". Furthermore, I cannot access my websites. I'm accessing ISPConfig via my LAN. Any thoughts? Ideas? I'd be happy to post any log info necessary as this seems to be beyond me. Thanks!! Tom
UPDATE: My server is now working again... all of a sudden. Email is coming through and I can hit all my sites. I did nothing but walk away (and watch my pathetic Lions give one away to the Cowboys... thank goodness I'm a Red Wings fan...). Tom
Any errors in your mail log and Apache error log? What's the output of Code: netstat -tap and Code: iptables -L ? do you use Denyhosts/fail2ban/Blockhosts to block brute-force attacks?
Falko, Thanks for taking the time to reply to my post. Here are the outputs you requested: <servername>:~# netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:4130 *:* LISTEN 2423/rpc.statd tcp 0 0 *:mysql *:* LISTEN 2108/mysqld tcp 0 0 *:sunrpc *:* LISTEN 1865/portmap tcp 0 0 *:81 *:* LISTEN 2539/ispconfig_http tcp 0 0 *:auth *:* LISTEN 2290/inetd tcp 0 0 *:ftp *:* LISTEN 17681/proftpd: (acc tcp 0 0 WAN IP:domain *:* LISTEN 2825/named tcp 0 0 xxx.xxx:domain *:* LISTEN 2825/named tcp 0 0 localhost.locald:domain *:* LISTEN 2825/named tcp 0 0 *:smtp *:* LISTEN 17630/master tcp 0 0 localhost.localdoma:953 *:* LISTEN 2825/named tcp 73149 0 WAN IP:4076 194.47.250.218:www ESTABLISHED2855/freshclam tcp6 0 0 *:imaps *:* LISTEN 2257/couriertcpd tcp6 0 0 *op3s *:* LISTEN 2276/couriertcpd tcp6 0 0 *op3 *:* LISTEN 2262/couriertcpd tcp6 0 0 *:imap2 *:* LISTEN 2245/couriertcpd tcp6 0 0 *:www *:* LISTEN 2707/apache2 tcp6 0 0 *:ssh *:* LISTEN 2380/sshd tcp6 0 0 *:smtp *:* LISTEN 17630/master tcp6 0 0 ip6-localhost:953 *:* LISTEN 2825/named tcp6 0 0 *:https *:* LISTEN 2707/apache2 tcp6 0 0 <servername>.<domain>:ssh ::ffff:192.168.2.:58022 ESTABLISHED27194/0 --------------------------------- :~# iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere loopback/8 ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere DROP 0 -- 224.0.0.0/4 anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere PUB_IN 0 -- anywhere anywhere DROP 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED DROP 0 -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere PUB_OUT 0 -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT 0 -- anywhere anywhere Chain PAROLE (9 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:www PAROLE tcp -- anywhere anywhere tcp dpt:81 PAROLE tcp -- anywhere anywhere tcp dptop3 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:webmin ACCEPT udp -- anywhere anywhere udp dpt:domain DROP icmp -- anywhere anywhere DROP 0 -- anywhere anywhere Chain PUB_OUT (4 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere I do not use Denyhosts/fail2ban/Blockhosts to block brute-force attacks. To be honest, I don't know anything about them, though because you mentioned them, you can rest assured I'm going to. Thanks again, Falko!!! Tom
Falko, Thanks for the fail2ban info (and howto). I installed it. Do you think my issue(s) per my initial post are a result of Brute Force Attacks? Thanks very much for your time and attention to this matter. Tom
Is your server in your local network, or is it remote? If it's a remote server, and you're having dynamic IP addresses with your internet connection, it's possible that you got an IP address used by an attacker before; if that IP address was banned by fail2ban, then you cannot connect to your server until you get a new IP address.
Is your server in your local network, or is it remote? I have 2 NICs; 1 LAN and 1 WAN If it's a remote server, and you're having dynamic IP addresses with your internet connection, it's possible that you got an IP address used by an attacker before; I use static for both LAN and WAN if that IP address was banned by fail2ban, then you cannot connect to your server until you get a new IP address. they are not banned --------- It's very strange. I can currently hit the sites and receive email but sporadically the site(s) may not load. I'm baffled. Thanks for all your help, Falko.
