Configuração Firewall WHM

De UniWiki
Revisão de 10h09min de 22 de abril de 2016 por Romuloberri (Discussão | contribs) (Criou página com '=== Identificando um possível bloqueio === Quando alguém for bloqueado no firewall do servidor, vai receber a mensagem: 10060 - Connection Refused Algumas rotinas que vão dar...')
(dif) ← Edição anterior | Revisão atual (dif) | Versão posterior → (dif)
Ir para: navegação, pesquisa

Identificando um possível bloqueio

Quando alguém for bloqueado no firewall do servidor, vai receber a mensagem: 10060 - Connection Refused Algumas rotinas que vão dar erro 10060: - Unilaudos - Atualização de senha de paciente na internet - Emissão de boletos

Passar a limpo da qui para baixo

================== 20/04/2016 Esse erro deu de manhã.

Searching for 201.15.255.170...

Chain num pkts bytes target prot opt in out source destination

DENYIN 7 12 608 DROP all --  !lo * 201.15.255.170 0.0.0.0/0

DENYOUT 7 0 0 LOGDROPOUT all -- *  !lo 0.0.0.0/0 201.15.255.170


ip6tables:

Chain num pkts bytes target prot opt in out source destination No matches found for 201.15.255.170 in ip6tables

Temporary Blocks: IP:201.15.255.170 Port: Dir:inout TTL:1800 (lfd - 201.15.255.170 (BR/Brazil/201-15-255-170.ctaje700.dsl.brasiltelecom.net.br), 20 distributed FTP Logins on account [chat@uniware.com.br] in the last 300 secs) ...Done.

Unblock 201.15.255.170: Unblock 201.15.255.170?

===================== Alterada a configuração para evitar esse tipo de bloqueio no futro: Home » Plugins » ConfigServer Security & Firewall > Firewall Configuration > Distributed Attacks: LF_DISTFTP = alterado de 20 para 0 



================== 20/04/2016 Esse erro deu de manhã. 
Searching for 177.23.143.18...


Chain num pkts bytes target prot opt in out source destination

DENYIN 2 1277 71184 DROP all --  !lo * 177.23.143.18 0.0.0.0/0

DENYOUT 2 0 0 LOGDROPOUT all -- *  !lo 0.0.0.0/0 177.23.143.18


ip6tables:

Chain num pkts bytes target prot opt in out source destination No matches found for 177.23.143.18 in ip6tables

csf.deny: 177.23.143.18 # lfd: (PERMBLOCK) 177.23.143.18 (BR/Brazil/-) has had more than 4 temp blocks in the last 86400 secs - Wed Apr 20 11:07:39 2016 ...Done.

Unblock 177.23.143.18: Unblock 177.23.143.18?


============== pesquisa em Home » Plugins » ConfigServer Security & Firewall >>

Apr 20 08:33:34 newton lfd[89351]: (ftpd) Failed FTP login from 177.23.143.18 (BR/Brazil/-): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_FTPD] Apr 20 09:03:35 newton lfd[102122]: Incoming IP 177.23.143.18 temporary block removed Apr 20 09:03:35 newton lfd[102122]: Outgoing IP 177.23.143.18 temporary block removed Apr 20 09:20:45 newton lfd[113758]: (ftpd) Failed FTP login from 177.23.143.18 (BR/Brazil/-): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_FTPD] Apr 20 09:50:45 newton lfd[130836]: Incoming IP 177.23.143.18 temporary block removed Apr 20 09:50:45 newton lfd[130836]: Outgoing IP 177.23.143.18 temporary block removed Apr 20 09:55:51 newton lfd[133967]: (ftpd) Failed FTP login from 177.23.143.18 (BR/Brazil/-): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_FTPD] Apr 20 10:25:51 newton lfd[148552]: Incoming IP 177.23.143.18 temporary block removed Apr 20 10:25:51 newton lfd[148552]: Outgoing IP 177.23.143.18 temporary block removed Apr 20 10:31:12 newton lfd[151395]: (ftpd) Failed FTP login from 177.23.143.18 (BR/Brazil/-): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_FTPD] Apr 20 11:01:13 newton lfd[166095]: Incoming IP 177.23.143.18 temporary block removed Apr 20 11:01:13 newton lfd[166095]: Outgoing IP 177.23.143.18 temporary block removed Apr 20 11:07:39 newton lfd[169577]: (PERMBLOCK) 177.23.143.18 (BR/Brazil/-) has had more than 4 temp blocks in the last 86400 secs - *Blocked in csf* [LF_FTPD]

================

Home » Plugins » ConfigServer ModSecurity Control

Conferir:

www.salutelab.com.br 178.17.174.99 300004 [20/Apr/2016:08:45:05 --0300] Pattern match "/\\.\\./" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "309"] [id "300004"] [rev "2"] [msg "Generic Path Recursion denied"] [severity "CRITICAL"] [20/Apr/2016:08:45:05 --0300] VxdrwUPhxMgAAW7uePgAAAAJ 178.17.174.99 40159 67.225.196.200 80 --43ac3534-B-- GET /wp-content/plugins/simple-download-button-shortcode/simple-download-button_dl.php?file=../../../../wp-config.php HTTP/1.1 Host: www.salutelab.com.br Connection: keep-alive Cookie: PHPSESSID=34422ee288da6b85377383ebf787d130 Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0

--43ac3534-F-- HTTP/1.1 404 Not Found X-Pingback: http://www.salutelab.com.br/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8

--43ac3534-H-- Message: Access denied with code 500 (phase 2). Pattern match "/\\.\\./" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "309"] [id "300004"] [rev "2"] [msg "Generic Path Recursion denied"] [severity "CRITICAL"] Action: Intercepted (phase 2) Stopwatch: 1461152705608930 160933 (- - -) Stopwatch2: 1461152705608930 160933; combined=274, p1=32, p2=237, p3=0, p4=0, p5=4, sr=14, sw=1, l=0, gc=0 Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/). Server: Apache Engine-Mode: "ENABLED"

Disponível em "http://owiki.uniware.net.br/index.php?title=Configuração_Firewall_WHM&oldid=5456"