Hello.
I installed OpenSUSE 42.3 and I enabled firewall by “yast” . Today, OpenSUSE sending a lot packets and used all of the internet bandwidth, I want to know is OpenSUSE a good distro for server?
How can I understand the server hacked or not hacked? Which log files must be check?
I just installed Apache and I guess its default configuration banned access to Apache files.
Thank you.
Today, OpenSUSE sending a lot packets and used all of the internet bandwidth,
Further analysis with tools like wireshark, iptraf, and nethogs may be helpful in determining what kind of traffic is evident.
I want to know is OpenSUSE a good distro for server?
Why not? (This is a very general question, so you’re bound to get subjective answers here.)
Start by inspecting the apache logs perhaps…
https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.apache2.html
Thank you.
According to this guide, I checked the server by some commands like “w”, “last” and “history” but I can’t see any unusual things. I checked Apache log and found somethings :
As you see, someone hacked my system by a proxy from the Russia. They use a file with the name “dd.rar”, but how this happened? OpenSUSE firewall activated:
$ sudo systemctl status SuSEfirewall2
And:
How can I find how they did it? if they cleared their logs then how can I recover it?
It is the second times that I installed OpenSUSE and my server hacked.
Thank you.
If you insist of changing the default permissions of your Apache Web Server and, insist on presenting the entire directory structure of your system via that Web Server then:
I don’t mean the file system permissions – I mean the permissions being setup by the Web Server’s configuration – the Web Server permissions being setup by the files in /etc/apache2/ …
Your logfiles do not say you are hacked…
Your logfiles are reporting events including unsuccessful attempts (those are the 404 error codes, you can look that up)
They say that proxy cluster in russia is trying to download dd.rar from your machine but unsuccessfully since you probably aren’t serving that file.
If you want to discourage the guy, then block his IP address (various ways to do this including in your firewall). Since the “attacker” (whether intentional or not) is connecting through what appears to be a proxy cluster, there are probably several IP addresses in that cluster.
What would you be looking for that would indicate a hacked website (or system, the two aren’t necessarily the same)?
You’d be looking for 200 events (successful events), and in particular POST events that read 200, which would mean that someone has successfully uploaded something to your website.
TSU
On 05/27/2019 12:16 AM, hack3rcon wrote:
Why are you starting with openSUSE 42.x when 15.1 is out? It’s not a huge
failure to use 42.x, but if you’re starting out you should probably start
with the latest so you can become familiar with it the most while it is in
active support, and be on a version most people will be installing today.
> Thank you.
> According to ‘this guide’
> (https://bash-prompt.net/guides/server-hacked/), I checked the server by
> some commands like “w”, “last” and “history” but I can’t see any unusual
> things. I checked Apache log and found somethings :
>
> [image: https://postimg.cc/QBZCYxqD]
>
> As you see, someone hacked my system by a proxy from the Russia. They
> use a file with the name “dd.rar”, but how this happened? OpenSUSE
> firewall activated:
Um… where do you see that? Having a log file is a good start, but
understanding it is something else entirely. This is showing clients,
some possibly from Russia, and mostly shows your server rejecting them
with appropriate return codes.
P.S. Pasting text is appreciated, as it is much more searchable,
indexable, and easier to move around (you could trivially paste your logs
here, for example). With logs here we could possibly help you understand
what they mean better, and that would be a good first step for you at this
point.
> Code:
> --------------------
>
> $ sudo systemctl status SuSEfirewall2
>
> --------------------
>
>
> And:
> [image: https://postimg.cc/HJPGcb9j]
If you are new to having a server (regardless of distribution or OS) then
the first thing you do should probably NOT be putting it on the Internet.
Even if you do, though, you shouldn’t immediately be “hacked” (unless
you’re running something very insecure from the start), but you will
certainly see a lot of drive-by scanners like these; welcome to having a
server on the public Internet; that’s normal.
> How can I find how they did it? if they cleared their logs then how can
> I recover it?
If you have deleted files then recover them from a backup. If you do not
have a backup, then get a backup. Better yet send logs to a dedicated log
server which is separate and writing to a write-once-read-many (WORM)
device. Of course, all of this is probably overkill for you since you are
not an enterprise and are just starting out, but this is how it can be done.
> It is the second times that I installed OpenSUSE and my server hacked.
You need to start with dropping assumptions about what you are seeing in
the logs. Understand the logs, what they actually mean, and what that
means for your computer.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
Someone has successfully uploaded something to my website? How? The default configuration let it?
I never changed the default configuration.
I think you misread my post.
Not only did I try to explain what in your logs say you were not hacked, I also described what you would have to see that would have indicated someone had uploaded something to your website.
TSU
I understood, but the Apache default configuration let it? I never changed the default configuration.
The default configuration is to log all events.
If that bothers you, you can blacklist certain events, the following article is one way that describes how to do this
But, I don’t recommend the above… especially if you don’t know how to interpret logs you’ll likely end up not recording events which may be invaluable to investigate a real problem in the future. Instead, I recommend you leave your logging as it is, and instead use an application to filter which events you want to view or not. There are many apps to choose from… Some simply filter for specific text, others display graphs, etc.
Here is a Google search to get you started
https://www.google.com/search?ei=aNXvXJfbE5Dy-gSK8pmICA&q=apache+log+viewer
TSU
The configuration is:
> cat httpd.conf
#
# /etc/apache2/httpd.conf
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information about
# the directives.
# Based upon the default apache configuration file that ships with apache,
# which is based upon the NCSA server configuration files originally by Rob
# McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>.
# If possible, avoid changes to this file. It does mainly contain Include
# statements and global settings that can/should be overridden in the
# configuration of your virtual hosts.
# Quickstart guide:
# http://en.opensuse.org/SDB:Apache_installation
# Overview of include files, chronologically:
#
# httpd.conf
# |
# |-- uid.conf . . . . . . . . . . . . . . UserID/GroupID to run under
# |-- server-tuning.conf . . . . . . . . . sizing of the server (how many processes to start, ...)
# |-- loadmodule.conf . . . . . . . . . . .
[li] load these modules[/li]# |-- listen.conf . . . . . . . . . . . . . IP adresses / ports to listen on
# |-- mod_log_config.conf . . . . . . . . . define logging formats
# |-- global.conf . . . . . . . . . . . . .
[li] server-wide general settings[/li]# |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring)
# |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info
# |-- mod_reqtimeout.conf . . . . . . . . . set timeout and minimum data rate for receiving requests
# |-- mod_cgid-timeout.conf . . . . . . . . set CGIDScriptTimeout if mod_cgid is loaded/active
# |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking
# |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings
# |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration
# |-- errors.conf . . . . . . . . . . . . . customize error responses
# |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts
# |-- protocols.conf . . . . . . . . . . . Protocol settings that applies to default server _and all_ virtual hosts
# |
# |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests
# | |--mod_userdir.conf . . . . . . . . enable UserDir (if mod_userdir is loaded)
# | `--conf.d/apache2-manual?conf . . . add the docs ('?' = if installed)
# |
# `-- vhosts.d/ . . . . . . . . . . . . . . for each virtual host, place one file here
# `-- *.conf . . . . . . . . . . . . . (*.conf is automatically included)
#
#
# Files marked
[li] are NOT read when server is started via systemd service. When server[/li]# is started via service, defaults from /etc/sysconfig/apache2 are taken into account.
#
# Filesystem layout:
#
# /etc/apache2/
# |-- charset.conv . . . . . . . . . . . . for mod_auth_ldap
# |-- conf.d/
# | |-- apache2-manual.conf . . . . . . . conf that comes with apache2-doc
# | |-- mod_php4.conf . . . . . . . . . . (example) conf that comes with apache2-mod_php4
# | `-- ... . . . . . . . . . . . . . . . other configuration added by packages
# |-- default-server.conf
# |-- errors.conf
# |-- httpd.conf . . . . . . . . . . . . . top level configuration file
# |-- listen.conf
# |-- magic
# |-- mime.types -> ../mime.types
# |-- mod_autoindex-defaults.conf
# |-- mod_info.conf
# |-- mod_log_config.conf
# |-- mod_mime-defaults.conf
# |-- mod_perl-startup.pl
# |-- mod_status.conf
# |-- mod_userdir.conf
# |-- mod_usertrack.conf
# |-- server-tuning.conf
# |-- ssl-global.conf
# |-- protocols.conf
# |-- ssl.crl/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Revocation Lists (CRL)
# |-- ssl.crt/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificates
# |-- ssl.csr/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Signing Requests
# |-- ssl.key/ . . . . . . . . . . . . . . PEM-encoded RSA Private Keys
# |-- ssl.prm/ . . . . . . . . . . . . . . public DSA Parameter Files
# |-- global.conf
# |-- loadmodule.conf
# |-- uid.conf
# `-- vhosts.d/ . . . . . . . . . . . . . . put your virtual host configuration (*.conf) here
# |-- vhost-ssl.template
# `-- vhost.template
### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.
# run under this user/group id
Include /etc/apache2/uid.conf
# - how many server processes to start (server pool regulation)
# - usage of KeepAlive
Include /etc/apache2/server-tuning.conf
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog /var/log/apache2/error_log
# generated from default value of APACHE_MODULES in /etc/sysconfig/apache2
<IfDefine !SYSCONFIG>
Include /etc/apache2/loadmodule.conf
</IfDefine>
# IP addresses / ports to listen on
Include /etc/apache2/listen.conf
# predefined logging formats
Include /etc/apache2/mod_log_config.conf
# generated from default values of global settings in /etc/sysconfig/apache2
<IfDefine !SYSCONFIG>
Include /etc/apache2/global.conf
</IfDefine>
# optional mod_status, mod_info
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf
# mod_reqtimeout protects the server from the so-called "slowloris"
# attack: The server is not swamped with requests in fast succession,
# but with slowly transmitted request headers and body, thereby filling up
# the request slots until the server runs out of them.
# mod_reqtimeout is lightweight and should deliver good results
# with the configured default values. You shouldn't notice it at all.
Include /etc/apache2/mod_reqtimeout.conf
# Fix for CVE-2014-0231 introduces new configuration parameter
# CGIDScriptTimeout. This directive and its effect prevent request
# workers to be eaten until starvation if cgi programs do not send
# output back to the server within the timout set by CGIDScriptTimeout.
Include /etc/apache2/mod_cgid-timeout.conf
# optional cookie-based user tracking
# read the documentation before using it!!
Include /etc/apache2/mod_usertrack.conf
# configuration of server-generated directory listings
Include /etc/apache2/mod_autoindex-defaults.conf
# associate MIME types with filename extensions
TypesConfig /etc/apache2/mime.types
Include /etc/apache2/mod_mime-defaults.conf
# set up (customizable) error responses
Include /etc/apache2/errors.conf
# global (server-wide) SSL configuration, that is not specific to
# any virtual host
Include /etc/apache2/ssl-global.conf
# global (server-wide) protocol configuration, that is not specific
# to any virtual host
Include /etc/apache2/protocols.conf
# forbid access to the entire filesystem by default
<Directory />
Options None
AllowOverride None
<IfModule !mod_access_compat.c>
Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>
# use .htaccess files for overriding,
AccessFileName .htaccess
# and never show them
<Files ~ "^\.ht">
<IfModule !mod_access_compat.c>
Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Deny from all
</IfModule>
</Files>
# List of resources to look for when the client requests a directory
DirectoryIndex index.html index.html.var
### 'Main' server configuration #############################################
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
Include /etc/apache2/default-server.conf
### Virtual server configuration ############################################
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
IncludeOptional /etc/apache2/vhosts.d/*.conf
# Note: instead of adding your own configuration here, consider
# adding it in your own file (/etc/apache2/httpd.conf.local)
# putting its name into APACHE_CONF_INCLUDE_FILES in
# /etc/sysconfig/apache2 -- this will make system updates
# easier :)
You may care to notice that:
Therefore, you should examine the file /etc/apache2/default-server.conf to work out what’s happened to your permissions …
As I said, I never changed the default configuration:
~> cat /etc/apache2/default-server.conf
#
# Global configuration that will be applicable for all virtual hosts, unless
# deleted here, or overriden elswhere.
#
DocumentRoot "/srv/www/htdocs"
#
# Configure the DocumentRoot
#
<Directory "/srv/www/htdocs">
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
# NOTE: For directories where RewriteRule is used, FollowSymLinks
# or SymLinksIfOwnerMatch needs to be set in Options directive.
Options None
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
AllowOverride None
# Controls who can get stuff from this server.
<IfModule !mod_access_compat.c>
Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
# Aliases: aliases can be added as needed (with no limit). The format is
# Alias fakename realname
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn't aliased in this
# example, only "/icons/". If the fakename is slash-terminated, then the
# realname must also be slash terminated, and if the fakename omits the
# trailing slash, the realname must also omit it.
#
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
AllowOverride None
<IfModule !mod_access_compat.c>
Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
# "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
<IfModule !mod_access_compat.c>
Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# To disable it, simply remove userdir from the list of modules in APACHE_MODULES
# in /etc/sysconfig/apache2.
#
<IfModule mod_userdir.c>
# Note that the name of the user directory ("public_html") cannot simply be
# changed here, since it is a compile time setting. The apache package
# would have to be rebuilt. You could work around by deleting
# /usr/sbin/suexec, but then all scripts from the directories would be
# executed with the UID of the webserver.
UserDir public_html
# The actual configuration of the directory is in
# /etc/apache2/mod_userdir.conf.
Include /etc/apache2/mod_userdir.conf
# You can, however, change the ~ if you find it awkward, by mapping e.g.
# http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/
#AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2
</IfModule>
# Include all *.conf files from /etc/apache2/conf.d/.
#
# This is mostly meant as a place for other RPM packages to drop in their
# configuration snippet.
#
# You can comment this out here if you want those bits include only in a
# certain virtual host, but not here.
#
IncludeOptional /etc/apache2/conf.d/*.conf
# The manual... if it is installed ('?' means it won't complain)
IncludeOptional /etc/apache2/conf.d/apache2-manual?conf
I’m looking forward to the answers.
This is the second time that I installed SUSE and my server hacked without any reason.
I’d start with examining your server security practices. It should not be easy/normal to be hacked as you’ve alluded to.
if you didn’t understand what I posted before…
The log snippet you posted says **you are not hacked.
**
I also tried to explain what your logfile was saying…
**440 errors **do not mean you are hacked, it means someone is trying to download or access something that doesn’t exist. That’s good.
If you were hacked, the suspected hacker would have to do something illegal successfully.
All successful events, both legal and illegal would return a 200 code and your log snippet doesn’t contain any.
TSU
Start with reading on Apache access.log format and what HTTP response 403 and 404 mean.