Editor’s Notes: This post will mostly help those who are running their website on Ubuntu Linux Server. It is interesting nevertheless and gives insight into the reality behind managing the server.
During the last two weeks my database has been crashing constantly at almost the same time during the day, daily. I ignored it at first and thought it to be a short-term problem, but then it never went away. In fact, with time it became a huge problem and crashed my database multiple times during the day, for me, it became a battle to keep the server alive and kicking.
When I asked for help on forums, some calmed that my database is corrupt, some said that my apache configuration is not correct, and so on. But after looking over and over again at all configurations, there seemed to be no problem at all. “So what the hell is taking down my server daily at almost the exact same time during the day”, I ask my hosting provider(SliceHost) team during a live chat. I share a few lines of my Apache error log just before my sever went down and guess what I hear back from them, “This pattern in the error log seems like a Brute Force Attack to me”.
Here is what my error log showed(it can be found at var/log/apache2/).
BRUTE FORCE ATTACK
“Brute Force Attack”, I shout at the top of my voice. “Brute Force Attack”, I shout again. Ofcourse I know what Brute Force Attack is, but the name itself is so scary let alone knowing the meaning. For those who don’t know what Brute Force Attack is, check out Wikipedia. It turns out some guy(or gal) was trying to hack my password through Brute Force Attack method and failed for one month two weeks straight, what a loser. ”Patience, Patience…..”, tells my heart, but my mind is all jammed up since this is the first time someone has attacked my server.
The Slicehost team were great enough to help me out before pointing me over to their forums where they calmed that I could be helped by a more larger community, but could I ever wait? NO, I couldn’t.
So I went ahead and googled the hell out of Google, but alas all results were occupied by SEO whores and I couldn’t find the solution to my actual problem. Most results were forum postings where other users were having the same problem and had no replies yet, Google being clueless indexed them all.
But wait, the Slicehost team also recommended me to install fail2ban, how could I even forget it in the first place when I set up my server. So I went ahead, installed fail2ban, configured all settings and it was up in no time. This didn’t make me smile let alone being happy, since I wanted to do more.
By more, I meant blocking the IP address from where the brute force attack is originating. I found out that there are two methods to do that – One is through htaccess and other is blocking directly through iptables. I went ahead with the second method since it is more fruitful and easy-to-do.
But how easy? Different sites were pissing me off at different times during the day by mentioning different commands that needed to be entered at different times in terminal. What the hell? Finally, I found out the exact command that needed to be entered.
To block an IP address, enter the following command in your terminal:
iptables -I INPUT -s 22.214.171.124 -j DROP
To unblock an IP address, enter the following:
iptables -D INPUT -s 126.96.36.199 -j DROP
Where, 188.8.131.52 can be any IP address. For those who are new to linux server hosting, you can find the IP address in Apache error log file, but be warned, don’t block your own IP address, even by mistake.
To check whether an IP has been successfully blocked, type the following command:
In the below screenshot you can see three different addresses that I have blocked.
Thankfully for the last two days my database hasn’t gone down, but I sure learned a lot of lessons during this crazy rollercoaster ride.
1. Never ignore the slightest of the problem.
2. Nothing is impossible, all problems can be solved.
3. Backup, Backup, Backup. If you don’t have one, you are screwed.
4. Never trust the results shown by Google or any other search engine. In some cases most results on the front page are crap and you will have to actually dig deeper to find the solution.
5. Add extra layer of security to your server, it might take time but you won’t regret it.
If you want to share any opinion, please leave a comment. I would love to hear from my readers what they think. Enjoy!