Why hackers hit port 161 - ddos

Recently one of our servers faced a DOS attack, and from iptables log we found out that they hit port 161 of the server. I wonder why? Here is the iptable log
Mar 25 14:02:45 srv1 kernel: iptables denied: IN=eth0 OUT=MAC=xx:xx:xx SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=66 TOS=0x00 PREC=0x00 TTL=237 ID=1047 PROTO=UDP SPT=22 DPT=161 LEN=46
Mar 25 14:02:55 srv1 kernel: iptables denied: IN=eth0 OUT= MAC=xx:xx:xx SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=66 TOS=0x08 PREC=0x20 TL=232 ID=1047 PROTO=UDP SPT=7777 DPT=161 LEN=46
...

According to /etc/services, port 161 is the port of SNMP. Perhaps that could explain why hackers attacked that port? Lots of networking gear use SNMP for management.
They probably tried an SNMP amplification attack explained e.g. in https://isc.sans.edu/forums/diary/SNMP+The+next+big+thing+in+DDoS+Attacks/18089/
The idea of reflectors is to cause a small request packet to get a large reply packet response. The source IP address of the request packet is obviously spoofed to be the target of the attack. So, in other words: you weren't the real target of the attack, they just tried to use your network equipment to amplify traffic to the real attack target.

Related

Can syslog pri value can be negative?

First i will tell you my architecture
client--->haproxy--->syslog-ng--->kafka
the client is Cisco ASA and haproxy is server for load-balancing and syslog-ng is for receiving ,filtering and sending logs to kafka(destination)
The client sends logs to haproxy and haproxy send logs to syslog-ng using tcp transport
As in tcp the client-server timeout breaks whenever client restored the connection its PRI value is negative which we seeing in wireshark.With this issue the messages gets mixup
Connection restored is normal but PRI value is negative this is incorrect.
I am showing you the the logs
<-1>May 24 2021 17:40:28: %ASA--1-6414004: TCP Syslog Server private:xx.xx.xx.xx/1470 -
Connection restored\\nCAL\\\\John Mike/xxxxxxxxxxxxxxxxxx) to private:xx.xx.xx.xx/xx duration 0:00:00 bytes 142
(John Mike/xxxxxxxxxxxxxxxxxx)\\nxxxxxxx)\\n4 2021 17:40:28: %ASA-6-302016: Teardown UDP connection 1733810491
we've increase the client connection timeout from 1min to 12 hr but the problem is not resolved
Some version of the Cisco ASA TCP Syslog code are affected by bug CSCvz85683:
Symptom:
Wrong syslog message format, ex for 414004:
-1>Sep 08 2021 10:46:25: %ASA--1-6414004: TCP Syslog Server private:xx.xx.xx.xx/1470 - Connection restored\n (xx.xx.xx.xx/64437)
Conditions:
External logging to TCP server is enabled
Workaround:
NA
Further Problem Description:
ASA syslog messages have 6-digit ID
The valid range for message IDs is between 100000 and 999999.
Source: Cisco ASA Series Syslog Messages. About ASA Syslog Messages.
When logging via TCP on versions with the defect code, will shift the priority (6 in this case) into the message code (414004 in this case) and use an illegal priority -1.
According to the bug, this has been fixed in version 9.14.4.

Handshake Failed test connectivity for OpenVPN

I am trying to set up OpenVPN on Ubuntu 20.04. I'm not experienced in this area. After I set up OpenVPN, I perform test connectivity. I received handshake error message:
Sun Jul 26 05:53:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]68.228.217.219:1194
Sun Jul 26 05:53:17 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jul 26 05:53:17 2020 UDP link local: (not bound)
Sun Jul 26 05:53:17 2020 UDP link remote: [AF_INET]My_Public_ISP_IP:1194
Sun Jul 26 05:54:17 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jul 26 05:54:17 2020 TLS Error: TLS handshake failed
Sun Jul 26 05:54:17 2020 SIGUSR1[soft,tls-error] received, process restarting
Sun Jul 26 05:54:17 2020 Restart pause, 5 second(s)
Then I check to log
journalctl --identifier openvpn
I found two error message I believe why my OpenVPN cannot connect:
This is one of the error messages:
Could not determine IPv4/IPv6 protocol. Using AF_INET
I notice it's using my old client .conf file:
Error Message
My new .conf file is local.ovpn/
I tried removing client conf. sudo rm -vf BigK and replace it with local.ovpn. but it didnt work.
I need help figuring this issue out. i tried researching on my own but i came up short.
UPDATE
After several hours of researching online. the closet post I see helping me is this post https://unix.stackexchange.com/questions/385966/openvpn-error-status-2-and-cant-connect-to-internet-while-usingwhich didn't help.
I checked my client.conf
client
dev tun
proto udp
remote Public_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
Here is my server.conf
local IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify
Here is localvpn.ovpn
client
dev tun
proto udp
remote Public_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
I faced the same problem and didn't find any solution. I was looking for another way to connect to OpenVPN server and it helped me.
Ubuntu 20.04 has a default tool for using OpenVPN:
Settings -> Network
Click + icon on one line with the VPN title
Choose Import from file... option and select your .ovpn config file in the popup window
Click Add button and that's it
PS: I hope it will help somebody to save any hours

Flutter WebRTC server is not letting me connect

I recently started using flutter to create an app that has video and audio calling, so I thought of using WebRTC to accomplish this. However, when I tried to create a local WebRTC server from the WebRTC Github it doesn't let me connect to it. When I run the server from the command prompt it tells me that the server is listening at the given local IP, but when I try to connect to it, it says the site can't be reached. Also when I ping the url it says the ping request could not find the host. Any kind of help would really be appreciated.
WebRTC server: https://github.com/flutter-webrtc/flutter-webrtc-server
Starting server in command prompt
netstat when server running
pinging server
The IP 0.0.0.0 is not the IP address the server is binding/listening too.
It is a common way that servers allow configurion 0.0.0.0 to express binding to all IPv4 the host has (see https://en.wikipedia.org/wiki/0.0.0.0 ). To acually reach your server use whatever IP you have on the host (if you are starting the server on your workstation 127.0.0.1 ought to work)
Ping on Windows is only ICMP if I am not mistaken, this means a TCP port number is not part of it's expected input. Eg. "0.0.0.0:8086" is not a valid target for that command (see https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/ping )
>ping 0.0.0.0:8086
Ping request could not find host 0.0.0.0:8086. Please check the name and try again.
>ping 0.0.0.0
Pinging 0.0.0.0 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
Ping statistics for 0.0.0.0:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
>ping 127.0.0.1
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
Since what you are trying to connect to is a webserver you could use something like curl instead to try to verify your connection. Should be available without any further install if you are on Windows 10 1803 or newer.
>curl https://0.0.0.0:8086
curl: (7) Failed to connect to 0.0.0.0 port 8086: Address not available
>curl https://127.0.0.1:8086
<html><head><title>Unauthorized</title></head><body><h1>401 Unauthorized</h1></body></html>
Some browsers might support https://0.0.0.0:8086 in a similar way server do but I wouldn't rely on it. Go with https://127.0.0.1:8086 or a non localhost IP address of the host.

Postfix possible SMTP attack and blacklist

I have plesk 12.5.30 on my server which is often blacklisted on Symantec Mail Security reputation.
The ip is new (I have purchased the server on 13.02.2017).
Also my ip is blacklisted on BACKSCATTERER.
Seeing the log of postfix I have a lot of entries like
Mar 22 14:51:43 server postfix/smtpd[14204]: connect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: lost connection after EHLO from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: disconnect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:50 server postfix/smtpd[14204]: connect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: lost connection after EHLO from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: disconnect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:52:19 server postfix/smtpd[14204]: connect from mail.dedeckeraccountants.be[91.183.46.186]
Mar 22 14:52:19 server postfix/smtpd[14204]: disconnect from mail.dedeckeraccountants.be[91.183.46.186]
I have
Changed the smtp port to a non standard one (9456)
Installed firewall and fail2ban on plesk and setted as in image
Setted mail settings of plesk as in image
Installed a spamassasin
I have noticed also that some days ago i have lines in log like these
Mar 19 06:47:00 server postfix/smtp[13517]: CCC1C510023D: to=<229e7dc3183452c7d3290d1ba28f073e#www.lablue.de>, relay=none, delay=235637, delays=235636/0.05/0.09/0, dsn=4.4.1, status=deferred (connect to www.lablue.de[217.22.195.26]:25: Connection refused)
Mar 19 06:47:00 server postfix/smtp[13503]: 7EDD55100138: to=<Weber226#brockel.kirche-rotenburg.de>, relay=kirche-rotenburg-verden.de[136.243.213.122]:25, delay=239980, delays=239979/0.01/0.35/0.1, dsn=4.0.0, status=deferred (host kirche-rotenburg-verden.de[136.243.213.122] said: 451 Temporary local problem - please try later (in reply to RCPT TO command))
Mar 19 06:47:00 server postfix/smtp[13504]: 97B055100233: to=<office#angerlehner.at>, relay=none, delay=222922, delays=222922/0.01/0.64/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=angerlehner.at type=MX: Host not found, try again)
Mar 19 06:47:00 server postfix/smtp[13509]: 1E15F510019B: host mx1.leventboru.com.tr[89.19.1.69] said: 450 4.7.1 Recipient address rejected: Requested action not taken: mailbox unavailable or not local (in reply to RCPT TO command)
And i noticed a very long mail queue in plesk settings (i have deleted all mail in queue)
Any advice to block this attack??
Thanks in advance
Edit: I want to share my plesk-postfix settings
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
There is somenthing can i improve here?
You might consider to use a Fail2Ban - filter with the following regex - expressions:
failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
If you need further Fail2Ban regex - expressions, pls. consider to ADD the corresponding log - file entries, because some general standart ones may not suit your needs or/and your qmail/postfix/imap-courier/dovecot version, installed on your server. ;-)
Edit:
In order to be more precise, I now add the full suggestion, incl. the regex, that #MattiaDiGiuseppe already used in his comments - it's just a bit better formatted this way.
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: (.*?)does not resolve to address <HOST>: Name or service not known$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .* Relay access denied.*$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
Pls. consider to have a look at all standart filters ( for Fail2Ban 0.10 AND older versions), by visiting:
=> https://github.com/fail2ban/fail2ban/tree/0.10/config/filter.d
If you desire to view the standarts for older versions, just click on the "Branch: 0.10" dropdpwn - button, pls.

Log Memcached Activity

I'm looking to log all activity going on in my memcached server. All reads and writes.
This is going to be used as a distributed daemon for lots of remote php apps in the cloud and need a way to SSH in and check out the activity going on, on the daemon.
I've googled extensively and can't find a single way to do this.
The Redis equivalent would be logging into the interactive console and typing MONITOR.
Thanks in advance.
You can do this using memcached's telnet stats command as such :
enable capturing information : stats detail on
wait a while
disable capturing : stats detail off
dump the information : stats detail dump
telnet yourhost 11211 and run the sequence above. Note that this will impact greatly the performance.
Also you could check out phpmemcacheadmin - it's a really nice tool for monitoring memcached pools.
You can start your memcached using the -vv parameter:
-vv very verbose (also print client commands/reponses)
The output is similar to this:
Dec 12 10:33:12 hostname memcached[18350]: <33 new auto-negotiating client connection
Dec 12 10:33:12 hostname memcached[18350]: 33: Client using the ascii protocol
Dec 12 10:33:12 hostname memcached[18350]: <33 set your.key.1 3 300 525
Dec 12 10:33:12 hostname memcached[18350]: >33 STORED
Dec 12 10:33:12 hostname memcached[18350]: <33 get your.key.2
Dec 12 10:33:12 hostname memcached[18350]: >33 sending key your.key.2
Dec 12 10:33:12 hostname memcached[18350]: >33 END
The output is sent to stdout, so you might want to redirect it to some file.
Use supervisord to run memcached. It'll log the memcached output (based on the 1,2 or 3 -v's) to syslog - so log rotate should work (it won't if you just pipe output to a file) and you can use syslog to send all the logs to a central logging machine (using something like graylog2 to take all the log info).