1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WOOT!

Discussion in 'Server Configuration and Hosting' started by Tracy Perry, Mar 15, 2013.

  1. Tracy Perry

    Tracy Perry Well-Known Member

    Twowheeldemon.com is now live on a Ram Node VPS. The hardest part of the whole ordeal was deciding with OS to go with. Now comes time for the fine tuning (like setting up the Postfix so it serves mail - even tho' mine is hosted through Google Apps). I'm really impressed so far with Ram Node. Once I went live there you could definitely tell a difference in the responsiveness of the site.

    I'm still trying to get SFTP figured out. I was wanting to make it so I could FTP directly to the website and process my files, but I may just place them in a directory in my home and point the server at them there... all it needs is read access.
     
  2. Deebs

    Deebs Well-Known Member

    Well done! Do not forget about the security of your VPS. iptables is a must and SFTP is the right choice :)
     
    Luke F likes this.
  3. Slavik

    Slavik XenForo Moderator Staff Member

    What OS did you select in the end?
     
  4. Tracy Perry

    Tracy Perry Well-Known Member

    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp source-quench
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
    DROP tcp -- anywhere anywhere tcp dpt:ftp
    ACCEPT tcp -- anywhere anywhere tcp dpt:****
    ACCEPT tcp -- anywhere anywhere tcp dpt:www
    DROP tcp -- anywhere anywhere tcp dpt:www

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere


    This is what my iptables is set at right now.
     
  5. Tracy Perry

    Tracy Perry Well-Known Member

    Debian - I played with CentOS for a while, but it's been so long since I used the RPM package format that I decided to go with what I was familiar with. Figured Debian (next to CentOS and Red Hat) was a solid choice. Seems a lot of sites are using it also. Was not going to go out and pay for Red Hat when I don't need that kind of service.
     
    Adam Howard likes this.
  6. Slavik

    Slavik XenForo Moderator Staff Member

    Fair enough
     
  7. Deebs

    Deebs Well-Known Member

    Great stuff. Don't spend too much on security thru obscurity by changing your SSH port, they will find it by portscanning but you have fail2ban which is a much better choice.
     
    Luke F likes this.
  8. Slavik

    Slavik XenForo Moderator Staff Member

    And set up SSH key authentication for that added security :)
     
  9. Tracy Perry

    Tracy Perry Well-Known Member

    yep, had it on an earlier install.. now got to figure out how to do it again... I know it wasn't hard.
     
  10. Tracy Perry

    Tracy Perry Well-Known Member

    :p
    Think this is working? I also have some from Russia trying to hit in.

    Mar 17 16:38:23 twowheeldemon sshd[4253]: Invalid user oracle from 31.3.245.178
    Mar 17 16:38:24 twowheeldemon sshd[4256]: Invalid user test from 31.3.245.178
    Mar 17 16:39:31 twowheeldemon sshd[4386]: Invalid user oracle from 31.3.245.178
    Mar 17 16:39:31 twowheeldemon sshd[4388]: Invalid user oracle from 31.3.245.178
    Mar 17 16:39:32 twowheeldemon sshd[4390]: Invalid user oracle from 31.3.245.178
    Mar 17 16:39:34 twowheeldemon sshd[4392]: Invalid user bwadmin from 31.3.245.178

    Mar 18 08:13:22 twowheeldemon sshd[1549]: Accepted publickey for ********** from 24.49.69.204 port 61899 ssh2
     
  11. Ghan_04

    Ghan_04 Active Member

    Is 61899 a new port for SSH? That's usually one thing I always do is move SSH to a new port. Most brute force attempts/sniffer scripts will look for the default.
     
  12. Slavik

    Slavik XenForo Moderator Staff Member

    In all honesty, moving SSH to another port is one of those measures which people over-rate. SSH is fine on port 22, just dont use a simple password (using keys is the best way), or configure your firewall to only allow your IP to connect.
     
  13. Biker

    Biker Well-Known Member

    I disagree. When SSH was on port 22, my logs were full of notices from low life scumbuckets who were banging on my front door. After changing the port, I've yet to receive one single notice. I've gone from hundreds of log entries per month to well under 100. What I get now are primarily pudknockers trying to get into the mail and ftp server.

    As far as scanning for the port, csf takes care of that for me by temporarily blocking attempted port scans.
     
    Adam Howard likes this.
  14. Tracy Perry

    Tracy Perry Well-Known Member

    Running on standard port 22. That was a direct import from my auth.log. Each time that I have connected the port number is different. I just left it at the standard port (easier to set up for my iPad/iPhone to access using a program I have). And I LOVE sftp ability.
     
  15. Robert F Schmitz

    Robert F Schmitz Well-Known Member



    403 FORBIDDEN!
    Either the address you are accessing this site from has been banned for previous malicious behavior or the action you attempted is considered to be hostile to the proper functioning of this system.
    The detected reason(s) you were blocked are:
    Mail Server Detection, usually infected. Please access from a non server hostname

    Your IP, and Domain Name (if resolvable) has been logged to a local honeypot, along with the referring page (if any), QUERY, POST, User Agent, time of access, and date. Please either 1. Stop the bad behavior, or 2. Cease accessing this system.
    Your connection details:
    Record #: 1
    Time:
    Running: 0.4.10a1
    Host: mail.guenschel.com
    IP: 173.64.112.32
    Post:
    Query:
    Stripped Query:
    Referer:
    User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22
    Reconstructed URL: http:// twowheeldemon.com /

    Generated by ZB Block 0.4.10a1


    I get that when trying to view your site. Checked honeypot but they have nothing on the IP address.
     
  16. Tracy Perry

    Tracy Perry Well-Known Member

    Hmmm.. that is zBBlock doing it... I'll check the log files and see what I can find. Are you accessing from an ISP?
    I think I just saw what it is... your hostname resolves to a mail server, ergo - it's set to not allow that as most acces attempts from those type of sites are due to the host being *bugged* with an exploit.
     
    Rob Fritz likes this.
  17. Robert F Schmitz

    Robert F Schmitz Well-Known Member

    I will enquire as to why that is. It has shown as mail. for as long as I can remember. Thanks.
     
  18. Tracy Perry

    Tracy Perry Well-Known Member

    zBBlock is really nice.. it stops at the front door for most stuff, even before you get to the site, but there can be some false positives in it (usually like in your case). Simply accessing the site from a system that doesn't have a FQDN will normally solve the problem as most users will not be using a server to access forums.
    Is this an actual server you are coming in from, or a desktop that has a FQDN?

    I couldn't check the log file (well, I could, but forgot to change permissions on it so that the system could not write to it :oops: after the move to the VPS). THAT problem is also solved now.
     
  19. Biker

    Biker Well-Known Member

    Because the IP resolves to a real, honest to goodness mail server.

    Service scan

    FTP - 21 Error: ConnectionRefused
    SMTP - 25 Error: ConnectionRefused
    HTTP - 80 HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.0
    Date: Mon, 18 Mar 2013 18:20:33 GMT
    X-Powered-By: ASP.NET
    Connection: Keep-Alive
    Content-Length: 1270
    Content-Type: text/html
    Set-Cookie: ASPSESSIONIDQASSRQSS=KKMDMKCDNEPFFEFCPJICDJHC; path=/
    Cache-control: private
    POP3 - 110 +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (**removed**) ready.
    IMAP - 143 * OK Microsoft Exchange 2000 IMAP4rev1 server version 6.0.6249.0 (**removed**) ready.
     
    Tracy Perry likes this.
  20. Tracy Perry

    Tracy Perry Well-Known Member

    Yep, and zBBlock did exactly as it is supposed to.. stopped at the front door (like a vacuum cleaners salesman) and the door slammed shut. It misses a few - but those are caught by the other spam utilities that are available here. Figure multilayered protection is nice.

    BTW, you the Biker that registered?
     

Share This Page