I have a problem with dos attacks or something.

I am getting these errors:
TCP: Treason uncloaked!

I dont know what is the cause, but some of people are saying that i need to edit my iptables.

Theres a link to bogon list too:
http://www.cymru.com/Documents/index.html


In all i want to ask, does someone know what to do, where are the iptables that must be edited and what should i do with it ;s i have no idea, iam no expert.

I know its probably not ServerCP related issue, but i hope someone know what to do.

give me the output for iptables

iptables -L

If you need help setting up iptables, look into APF.
Or i can try and help you here.

Let iptables wait, can you please tell me what is the "log" below. My dmesg after a huge 8 hours downtime(i wasnt able login to adminCP or to anywhere, the only thing i was able to do, was pinging server)

Here is the log:

oom-killer: gfp_mask=0xd0
Mem-info:
DMA per-cpu:
cpu 0 hot: low 2, high 6, batch 1
cpu 0 cold: low 0, high 2, batch 1
cpu 1 hot: low 2, high 6, batch 1
cpu 1 cold: low 0, high 2, batch 1
Normal per-cpu:
cpu 0 hot: low 32, high 96, batch 16
cpu 0 cold: low 0, high 32, batch 16
cpu 1 hot: low 32, high 96, batch 16
cpu 1 cold: low 0, high 32, batch 16
HighMem per-cpu:
cpu 0 hot: low 32, high 96, batch 16
cpu 0 cold: low 0, high 32, batch 16
cpu 1 hot: low 32, high 96, batch 16
cpu 1 cold: low 0, high 32, batch 16

Free pages: 15052kB (1600kB HighMem)
Active:328909 inactive:157656 dirty:0 writeback:0 unstable:0 free:3763 slab:1059 4 mapped:475888 pagetables:11018
DMA free:12588kB min:16kB low:32kB high:48kB active:0kB inactive:0kB present:163 84kB pages_scanned:5920 all_unreclaimable? yes
protections[]: 0 0 0
Normal free:864kB min:928kB low:1856kB high:2784kB active:523320kB inactive:3012 52kB present:901120kB pages_scanned:218248800 all_unreclaimable? yes
protections[]: 0 0 0
HighMem free:1600kB min:512kB low:1024kB high:1536kB active:792316kB inactive:32 9372kB present:1170624kB pages_scanned:0 all_unreclaimable? no
protections[]: 0 0 0
DMA: 3*4kB 4*8kB 4*16kB 2*32kB 4*64kB 1*128kB 1*256kB 1*512kB 1*1024kB 1*2048kB 2*4096kB = 12588kB
Normal: 0*4kB 0*8kB 0*16kB 1*32kB 1*64kB 0*128kB 1*256kB 1*512kB 0*1024kB 0*2048 kB 0*4096kB = 864kB
HighMem: 212*4kB 38*8kB 0*16kB 4*32kB 3*64kB 1*128kB 0*256kB 0*512kB 0*1024kB 0* 2048kB 0*4096kB = 1600kB
Swap cache: add 591930, delete 577871, find 66722/74642, race 0+0
0 bounce buffer pages
Free swap: 0kB
522032 pages of RAM
292656 pages of HIGHMEM
5517 reserved pages
1101628 pages shared
14059 pages swap cached
Out of Memory: Killed process 22417 (httpd).

Is that possible that this was caused by the hackers?

Cant edit my post, here my iptables output, i think?

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


I did get this with "iptables -L"

krika

Your iptables looks 'ok' theres no filtering/blocking going on there.

Give me the output of.

free -m
uname -a
uptime

I personally haven't seen that type of error, i would have to poke around on that one...

Thanks LynxPrime for trying to help :)
free -m
total used free shared buffers cached
Mem: 2017 1604 413 0 13 488
-/+ buffers/cache: 1102 915
Swap: 1983 1172 811
uname -a
Linux gamershood.net 2.6.9-22.0.2.ELsmp #1 SMP Tue Jan 17 07:10:04 CST 2006 i686 i686 i386 GNU/Linux

uptime
21:59:34 up 11 days, 1:46, 1 user, load average: 0.35, 1.14, 5.82
//i have rebooted the server cause the problems
//by the way, at the moment, the server has been okay for about 5 days or like, its nice ;D


I have another problem too:o , my FTP is getting slow, it waits too much before it connects, but when it connects then its fast like it should be. Is that something to do with "resolv.conf" maybe?
Here are the IPs im using in resolv.conf, i got those from mIRC in a year ago.
nameserver 198.7.0.1
nameserver 195.50.193.163

Well i see your problem its that kernel your running.

I forget what the latest release of kernels centos uses (if that's what you use) there's numerous reports about there kernels.

try yum update kernel

Type
cat /etc/redhat-release

Paste the output.

Your dipping in to swap, and probably having IO issues (causing your box to lock up).
The 'fix' is to compile your kernel from source, or hire some one to do it for you. I cant simply tell you how to do it there's a few things that need to be looked at.

If your server isnt in newyork where 198.7.0.1 is you might wanna find a closer DNS server, Ask your provider they 'should' have one.

But i can help you bypass that.

Open /etc/proftpd.conf

Find or add

UseReverseDNS off
IdentLookups off

then /etc/init.d/proftpd restart

Test your FTP now :)

Basically the FTP server doesn't check if the ip is real and doesn't check the rDNS, Doesn't help or hurt anything.

http://www.rack911.com/ is a place you can go to to pay someone to help you on the kernel Or you can try it your self i can help you with pointers :)

Wow, great, now i am getting somewhere :)

"yum update kernel" gave me this
Setting up Update Process
Setting up repositories
dsm 100% |=========================| 1.1 kB 00:00
not using ftp, http[s], or file for repos, skipping - Test mode - must specify ip/cc, arch and repo as parameters
Cannot find a valid baseurl for repo: base
Error: Cannot find a valid baseurl for repo: base

maybe i should ask rack911 to setup "Extreme Linux Security Plan" of them, then the server would be updated AND secure :)

cat /etc/redhat-release
CentOS release 4.2 (Final)



And the FTP is running great now! Thanks!!!
However, about resolv.conf, i will try to find a better DNS server, i just realised, that the second IP belongs to my internet provider(my memory is messing with me), and i think i know what IP i have to try for the first IP(however now there is no need for that).

Glad to hear about the FTP.

The Centos release your using is abit out of date. The latest is 4.4.

you can try
yum update yum (it should pull the latest yum)

The latest bind (your DNS server) may brake... but its an easy fix, you can set yum not to update it as well.

Centos doesn't support 4.2 much anymore its considered archived.

As for the DNS servers check this out.
http://www.opennic.unrated.net/public_servers.html

You should pick from the Tier2 set. If your server is in LA my favorite is 4.2.2.2 and 4.2.2.1 or i use my works DNS servers 216.152.254.254 69.26.170.254

I updated CentOS to 4.4 had the same problem like here (http://discuss.zervex.com/showthread.php?t=907) but i removed dovecot and everything went right.

I took European DNS from here (http://www.opennic.unrated.net/public_servers.html), LA is too far away ;)

There is only one more problem that keeps my attetion, when i run "top" then every single mysql connection takes 5,4% of Memory. Should i worry or not :confused:

I would check out /etc/my.cnf and optimized that sucker then.

Theres an easy template you can follow, what MySQL version are you running?

Another tool for MySQL is called mytop (you need to install it) its kinda like top

http://jeremy.zawodny.com/mysql/mytop/

What kernel are you running now? uname -a

Thanks, i will install this program right away if i get my dsm back to up.

After i updated, everything was okay, but today, my DSM is unavailable. I will get this message below everywhere where i use port 3000. Cant login via SSH cause i cant add IP to shell list. Looks like i have to do it manually, but im not sure what to do? Maybe reboot server? I think i will go and reboot the server right away, i´ll let you know :p
Oh, and the websites are workign fine, just cant access DSM.
An error has occured!

Service is temporarily unavailable. See system log

You ran yum update and after that your locked out?

Normally i install webmin and lock down the port to it as a just encase im locked out.

What i can suggest is install a java/php app to interface with SSH locally.

I upload this http://sourceforge.net/projects/phpeshell/ when i have to work on clients boxes, hope that helps.

Generally its not a good idea to just reboot the box (hard boot i mean), MySQL hates that :D

After i ran yum update everything was okay and working. My IP changed, but i can only log in, when i have submited my IP in shellmanager.

I am going to install that application :p Good i didnt reboot my box already.

But if i get in, what should i do to set DSM back online, that is the question (:

Your IP changed (server or you?)

If its your server you would have to contact Zervex to update there records.

If your IP changed modify /etc/hosts.allow


To try a figure out the DSM thing, try restarting it.
service dsm restart

tailf /var/log/messages

or follow these steps.
http://discuss.zervex.com/showthread.php?t=395

in the page i linked don't put the & at the end of the command...

it will force it to continue... & puts the process in the background you don't want that to happen.

I went to my server, took my monitor with me :D and tried to open the terminal window, but the server was like 386 and i had to hard boot it, damn.

Anyway, i ran the commands, but looks like my license is expired. I thought that the free account is for unlimited time. Or maybe it is, i just dont know what to do. The servers IP is same. And the time should be too, however iam not 100% sure.

I need to know how to update the time or the license :P

And i forgot to say, that now my browser says "Unable to connect" when i try to connect port 3000.

The second time(1-2 hours later)when i tried to restart dsm, it worked, dunno why it didnt first time :P

Problem solved, however, 1 site is very slow in my server while the other is superfast comparing to 1st :confused:

hehe no idea about that one :)

MySQL?

watch
top -c

See what pops up

Theres a few things that can be optimized for LAMP (linux apache mysql php)

sysctl.conf
httpd.conf
my.cnf
php.ini

Wow, thanks LynxPrime, top -c is great, didnt know that :) It shows everything i need to know, but maybe you know something about this line, this is the biggest memory taker, i can see its related to mysql, but maybe its something else:

/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/gamershood.net.pid --skip-locking

yea that would be the problem.

MySQL is a plague when you have a large database.

By chance did you install mytop? That would show you what DB is making your server slow.

Now another problem would be that kernel as i said before they down right suck. :)

I would look into upgrading it or have someone else do it, ill be more then happy to help you out. its simple just a few things you would need to watch out for.

At the moment, rack911.com is checking the server already.

And i wasnt able to install mytop because i wasnt able to install TermReadKey-2.30.tar :p

I will let you know, if Steve from rack911 can find the probelm :)

good to hear Steven is a very reliable guy. We have worked on a few projects together.

As for the mytop and TermReadKey

try this

cpan -or- perl -MCPAN -e shell
install Term::ReadKey

follow the screen.

cpan -or- perl -MCPAN -e shell
Didn´t connect to anywhere, i think its cause my server´s conf

Its Saturday and rack911 is not working at the moment. But Steven told that i need server optimization. Will see what will happen on Monday :)

I have few other thing i want to mention about 1 slow page in server.
The other pages are working fine, like i said, but that one, if i click, the browers says "waiting for www.domain.name" and its waiting about 6 seconds, after that, it starts to load and loads fast. If i click in a row like, 0.5 sec-click-0.5 sec-click-0.5 sec-click etc. then its fast too. After waiting 2 seconds after a click and making another click, its waiting again about 6 secons before the page loads.

This information is quite weird, but is the page slow because of mysql?, if the mysql is fast in other pages.

The other thing i noticed:
ServerCP - DNS - Raw Edit(Zone settings)
The slow website´s settings in "raw edit" were old and were pointing to my old dns adresses which where "everydns.net", but i am using "dnsmadeeasy.com".
I changed back to "everydns" to test and changed the Zone settings too, still it wasnt working. So i think the site is not slow because the DNS settings.

And if i type my IP address to a web browser, then it loads "the slow site". Maybe thats related to the problem why the site is slow.

There are lots of typos, i hope someone will understand :D

And another things i forgot to say. If i connect to my server via ssh, then its slow, times out sometimes. But this may be the server´s issue :P

i think i just found out why is my server slow. The page that is slow, is the greatest memory taker, because there are big mysql tables. Usually it took 1/2 less memory, but now its using all the memory.
Anyway, i have to wait Monday and after server´s optimization, i have to buy some extra memory, just in case. Just one weird thing is that there are less visitors at the moment, but the server is taking more memory :confused:

i attached a screenshot of top as well

I would wait for the kernel update then. That has a big impact trust me.