Level 50
Can you see what's in the webserver logs? Probably in /var/log/nginx or /var/log/httpd. When you're ssh'd in try doing a 'curl -vvv http://127.0.01/' and see what happens too.
Nov 8, 2016
13
Level 1
Forge http access down - firewall rules problem [solved - see last post]
Sorry for my english.
From today, I can't access my 2 sites on a Digital Ocean Server (managed by Forge). I'm on a strict standard Forge config and security. Nothing has been changed from yesterday.
Symptoms :
- HTTP an HTTP are down (response "to long" in browsers)
- pings on each site are OK (it's not a domain problem)
- I can access the server and the 2 sites from Forge (start / stop, config files, deploy, etc.)
- I can access the serveur in SSH, browse files, etc.
- even if I restart the server, nothing change : the two sites are unreachible
The logs files : I've seen a lot of traffic on log files for the two previous days:
find / -name –mtime -2 2>&1 | grep -v "Permission denied"
Output :
/var/lib/apt/lists/mirrors.digitalocean.com_ubuntu_dists_xenail-backports-... => what is this ?
/var/log/auth.log.1
/var/log/nginx/access.log.2.gz
/var/log/fail2ban.log.1
/var/log/ufw.log.1
/var/log/access.log.1 => w00tu00.at.blackhats.romanian.anti-sec
etc.
From /var/log/access.log.1
... w00tu00.at.blackhats.romanian.anti-sec ...
.../MyAdmin/scripts/setup.php....
...testproxy.php....
etc.
Lots of connections in /var/log/fail2ban.log
So, what do you think ? Do I have a problem with my settings or have I been hacked ?
Thanks in avance for your advices.
Paguemaou
Level 1
Thanks @ohffs .
When I do 'curl -vvv http://127.0.0.1' :
* Rebuilt URL to: http://127.0.0.1/
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: nginx/1.10.0 (Ubuntu)
< Date: Tue, 08 Nov 2016 17:18:40 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
<
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host 127.0.0.1 left intact
I saw a lot of stuff in /var/log/nginx/access.log.1 after 07/Nov/2016:17:55:02 and during the night (hackers ?) :
forge@ServeurPrincipal:/var/log/nginx$ more access.log.1
23.247.27.67 - - [07/Nov/2016:07:37:03 +0100] "GET / HTTP/1.1" 404 580 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NE
T CLR 3.0.30729; Media Center PC 6.0)"
207.46.13.226 - - [07/Nov/2016:08:13:42 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.226 - - [07/Nov/2016:08:13:42 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
40.77.167.48 - - [07/Nov/2016:08:13:44 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
217.167.255.177 - - [07/Nov/2016:08:51:34 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
217.167.255.177 - - [07/Nov/2016:08:54:46 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
217.167.255.177 - - [07/Nov/2016:08:54:46 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
66.249.76.71 - - [07/Nov/2016:09:44:42 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.
96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
23.247.27.123 - - [07/Nov/2016:09:49:00 +0100] "GET / HTTP/1.1" 404 580 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .N
ET CLR 3.0.30729; Media Center PC 6.0)"
61.216.2.15 - - [07/Nov/2016:10:16:10 +0100] "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01
\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x
01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01
\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x
01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01
\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" 400 182 "-" "-"
61.216.2.15 - - [07/Nov/2016:10:17:50 +0100] "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01
\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x
01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01
\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x
01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01
\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" 400 182 "-" "-"
207.46.13.246 - - [07/Nov/2016:10:36:13 +0100] "GET /robots.txt HTTP/1.1" 404 152 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
40.77.167.27 - - [07/Nov/2016:10:36:14 +0100] "GET / HTTP/1.1" 404 152 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
217.167.255.177 - - [07/Nov/2016:11:31:17 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
104.193.254.221 - - [07/Nov/2016:11:33:01 +0100] "GET / HTTP/1.1" 404 178 "-" "Mozilla/5.0"
74.82.47.5 - - [07/Nov/2016:11:59:14 +0100] "GET / HTTP/1.1" 301 194 "-" "-"
62.210.111.96 - - [07/Nov/2016:12:08:29 +0100] "GET /contact HTTP/1.0" 404 178 "http://refetab.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
62.210.111.96 - - [07/Nov/2016:12:08:29 +0100] "GET /contact HTTP/1.0" 404 178 "http://refetab.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
62.210.111.96 - - [07/Nov/2016:12:08:29 +0100] "GET /contact HTTP/1.0" 404 178 "http://refetab.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
62.210.111.96 - - [07/Nov/2016:12:08:29 +0100] "GET /contact HTTP/1.0" 404 178 "http://refetab.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
63.141.250.155 - - [07/Nov/2016:12:12:24 +0100] "GET / HTTP/1.1" 404 580 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .
NET CLR 3.0.30729; Media Center PC 6.0)"
217.167.255.177 - - [07/Nov/2016:13:44:21 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
66.249.76.71 - - [07/Nov/2016:14:54:45 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.76.75 - - [07/Nov/2016:14:54:46 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.
96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.76.71 - - [07/Nov/2016:15:26:24 +0100] "GET /css/myapp.css HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.76.75 - - [07/Nov/2016:15:26:25 +0100] "GET /css/modern-business.css HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.76.75 - - [07/Nov/2016:15:26:25 +0100] "GET /css/lightbox.min.css HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.76.71 - - [07/Nov/2016:15:26:26 +0100] "GET /font-awesome-4.2.0/css/font-awesome.min.css HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html
)"
66.249.76.73 - - [07/Nov/2016:15:26:26 +0100] "GET /css/bootstrap.min.css HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.76.71 - - [07/Nov/2016:16:31:46 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.
96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
104.193.254.243 - - [07/Nov/2016:17:30:32 +0100] "GET / HTTP/1.1" 404 178 "-" "Mozilla/5.0"
216.145.5.42 - - [07/Nov/2016:17:33:52 +0100] "GET /robots.txt HTTP/1.0" 404 178 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.13) Gecko/2009073022 Firefox/3.5.2 (.NET CLR 3.5.3
0729) SurveyBot/2.3 (DomainTools)"
216.145.5.42 - - [07/Nov/2016:17:33:52 +0100] "GET / HTTP/1.1" 404 152 "http://whois.domaintools.com/refetab.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.13) Gecko/2009073022
Firefox/3.5.2 (.NET CLR 3.5.30729) SurveyBot/2.3 (DomainTools)"
66.249.73.155 - - [07/Nov/2016:17:43:19 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272
.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
23.247.27.51 - - [07/Nov/2016:17:49:34 +0100] "GET / HTTP/1.1" 404 580 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NE
T CLR 3.0.30729; Media Center PC 6.0)"
173.164.73.178 - - [07/Nov/2016:17:55:02 +0100] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 152 "-" "ZmEu"
173.164.73.178 - - [07/Nov/2016:17:55:22 +0100] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 152 "-" "ZmEu"
91.196.50.33 - - [07/Nov/2016:19:49:07 +0100] "GET http://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
207.46.13.194 - - [07/Nov/2016:20:46:00 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
40.77.167.48 - - [07/Nov/2016:20:46:00 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
117.103.173.98 - - [07/Nov/2016:21:34:59 +0100] "GET /mentionsLegales HTTP/1.1" 404 580 "-" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
217.23.14.7 - - [07/Nov/2016:21:35:03 +0100] "GET /contact HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
41.242.90.3 - - [07/Nov/2016:21:35:04 +0100] "GET /mentionsLegales HTTP/1.1" 404 580 "-" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
199.19.249.196 - - [07/Nov/2016:21:35:04 +0100] "GET /mentionsLegales HTTP/1.1" 404 580 "-" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
207.46.13.130 - - [07/Nov/2016:22:54:20 +0100] "GET /robots.txt HTTP/1.1" 404 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.130 - - [07/Nov/2016:22:54:26 +0100] "GET / HTTP/1.1" 404 152 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
79.98.138.9 - - [08/Nov/2016:00:11:31 +0100] "GET /administrator/ HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
79.98.138.9 - - [08/Nov/2016:00:11:53 +0100] "GET /administrator/index.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
95.66.182.105 - - [08/Nov/2016:00:16:29 +0100] "GET /administrator/ HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
95.66.182.105 - - [08/Nov/2016:00:16:50 +0100] "GET /administrator/index.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
79.134.11.161 - - [08/Nov/2016:00:30:50 +0100] "GET /administrator/ HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
79.134.11.161 - - [08/Nov/2016:00:31:11 +0100] "GET /administrator/index.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
212.17.0.130 - - [08/Nov/2016:00:47:17 +0100] "GET /administrator/ HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
212.17.0.130 - - [08/Nov/2016:00:47:38 +0100] "GET /administrator/index.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
46.37.89.163 - - [08/Nov/2016:01:44:45 +0100] "GET / HTTP/1.1" 404 178 "-" "curl/7.17.1 (mips-unknown-linux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"
207.46.13.194 - - [08/Nov/2016:03:04:40 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.194 - - [08/Nov/2016:03:04:43 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.194 - - [08/Nov/2016:03:04:44 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.194 - - [08/Nov/2016:03:04:46 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.194 - - [08/Nov/2016:03:04:49 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.194 - - [08/Nov/2016:03:04:52 +0100] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
40.77.167.48 - - [08/Nov/2016:03:05:12 +0100] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
185.49.14.190 - - [08/Nov/2016:04:13:33 +0100] "GET http://testp1.piwo.pila.pl/testproxy.php HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
207.46.13.130 - - [08/Nov/2016:05:31:21 +0100] "GET / HTTP/1.1" 404 152 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
23.247.27.4 - - [08/Nov/2016:06:19:45 +0100] "GET / HTTP/1.1" 404 580 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET
CLR 3.0.30729; Media Center PC 6.0)"
Level 50
The log entries look fairly 'normal' for the internet these days, sadly. But the curl output combined with all the '301' log entries looks more like your nginx is pointing to the wrong place or re-directing oddly though. Do you see anything at all in your laravel logs (storage/logs/laravel.log)? Maybe check the nginx config file and see what it's trying to do.
Level 1
There is nothing special in the two laravel.log files. The last file update was 3 days ago and I remember it.
The nginx of the first site (https) :
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/demo.jcvsoft.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name demo.jcvsoft.com;
root /home/forge/demo.jcvsoft.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/demo.jcvsoft.com/139890/server.crt;
ssl_certificate_key /etc/nginx/ssl/demo.jcvsoft.com/139890/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE- ........................here is the cipher....';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/demo.jcvsoft.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/demo.jcvsoft.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/demo.jcvsoft.com/after/*;
and the second site is (standard http):
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/jcvsoft.com/before/*;
server {
listen 80;
listen [::]:80;
server_name jcvsoft.com;
root /home/forge/jcvsoft.com/public;
# FORGE SSL (DO NOT REMOVE!)
# ssl_certificate
# ssl_certificate_key
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-.........................Cipher here......';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/jcvsoft.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/jcvsoft.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/jcvsoft.com/after/*;
Have you any idea ? Thanks for your help. Paguemaou
Level 1
I've added a network rule in the firewall, and delete it after. The two rules I have now in Forge are :
- HTTP 80 any
- HTTPS 443 any
The two sites are not responding. It seems like a "stop request" before nginx. Maybe a kind of firewall problem/rule ? How can I verify it ? Thanks for your help. Paguemaou
Level 4
sudo iptables -L --line-numbers
https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules
You can install ConfigServer Security & Firewall (csf) and Login Failure Daemon (lfd) to prevent ddos, http flood, detect log files changes, process list & etc.)
https://download.configserver.com/csf/install.txt https://configserver.com/cp/csf.html
Level 1
@actionm Thanks for your anwser. I've launched your command. Here is the result. I don't know if it is "normal" or "strange". Could you help me ? The problem is still the same : I can't access my 2 sites from HTTP or HTTPS
command : sudo iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 f2b-sshd tcp -- anywhere anywhere multiport dports ssh
2 ufw-before-logging-input all -- anywhere anywhere
3 ufw-before-input all -- anywhere anywhere
4 ufw-after-input all -- anywhere anywhere
5 ufw-after-logging-input all -- anywhere anywhere
6 ufw-reject-input all -- anywhere anywhere
7 ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
num target prot opt source destination
1 ufw-before-logging-forward all -- anywhere anywhere
2 ufw-before-forward all -- anywhere anywhere
3 ufw-after-forward all -- anywhere anywhere
4 ufw-after-logging-forward all -- anywhere anywhere
5 ufw-reject-forward all -- anywhere anywhere
6 ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ufw-before-logging-output all -- anywhere anywhere
2 ufw-before-output all -- anywhere anywhere
3 ufw-after-output all -- anywhere anywhere
4 ufw-after-logging-output all -- anywhere anywhere
5 ufw-reject-output all -- anywhere anywhere
6 ufw-track-output all -- anywhere anywhere
Chain f2b-sshd (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere
Chain ufw-after-forward (1 references)
num target prot opt source destination
Chain ufw-after-input (1 references)
num target prot opt source destination
1 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
2 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
3 ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
4 ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
5 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
6 ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
7 ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
num target prot opt source destination
Chain ufw-after-output (1 references)
num target prot opt source destination
Chain ufw-before-forward (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
3 ACCEPT icmp -- anywhere anywhere icmp source-quench
4 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
5 ACCEPT icmp -- anywhere anywhere icmp parameter-problem
6 ACCEPT icmp -- anywhere anywhere icmp echo-request
7 ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ufw-logging-deny all -- anywhere anywhere ctstate INVALID
4 DROP all -- anywhere anywhere ctstate INVALID
5 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
6 ACCEPT icmp -- anywhere anywhere icmp source-quench
7 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
8 ACCEPT icmp -- anywhere anywhere icmp parameter-problem
9 ACCEPT icmp -- anywhere anywhere icmp echo-request
10 ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
11 ufw-not-local all -- anywhere anywhere
12 ACCEPT udp -- anywhere (IP adress here) udp dpt:mdns
13 ACCEPT udp -- anywhere (IP adress here) udp dpt:1900
14 ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
num target prot opt source destination
Chain ufw-before-logging-input (1 references)
num target prot opt source destination
Chain ufw-before-logging-output (1 references)
num target prot opt source destination
Chain ufw-before-output (1 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
2 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
2 RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
3 RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
4 ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
5 DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
num target prot opt source destination
Chain ufw-reject-input (1 references)
num target prot opt source destination
Chain ufw-reject-output (1 references)
num target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
num target prot opt source destination
Chain ufw-track-input (1 references)
num target prot opt source destination
Chain ufw-track-output (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere ctstate NEW
2 ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
num target prot opt source destination
Chain ufw-user-input (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
2 ACCEPT udp -- anywhere anywhere udp dpt:ssh
3 ACCEPT tcp -- anywhere anywhere tcp dpt:http
4 ACCEPT udp -- anywhere anywhere udp dpt:http
Chain ufw-user-limit (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
2 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
num target prot opt source destination
Chain ufw-user-logging-input (0 references)
num target prot opt source destination
Chain ufw-user-logging-output (0 references)
num target prot opt source destination
Chain ufw-user-output (1 references)
num target prot opt source destination
root@ServeurPrincipal:~#
Level 1
I made a focus on my log files.
- I tried to access the two nginx sites.
- When I look at my nginx log files : nothing is logged for my Http requests ( access.log and my-sites-error.log). But others IP address access them.
What do you think of this ? Are my requests bloqued by the firewall or is my nginx conf faulty ?
I also take a look at ufw.log. I see a lot of UFW BLOCK for the same MAC address, but different IP address. Is it a kind of attack ?
# tail /var/log/ufw.log
Nov 9 21:20:25 ServeurPrincipal kernel: [98370.606776] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:34:67:f0:08:00 SRC=191.240.61.180 DST=46.101.252.195 LEN=40 TOS=0x00 PREC=0x00
TTL=46 ID=9904 PROTO=TCP SPT=63182 DPT=23 WINDOW=51702 RES=0x00 SYN URGP=0
Nov 9 21:20:51 ServeurPrincipal kernel: [98396.571320] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:4f:3f:f0:08:00 SRC=88.182.20.242 DST=46.101.252.195 LEN=52 TOS=0x08 PREC=0x00
TTL=116 ID=8690 DF PROTO=TCP SPT=49438 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 9 21:20:51 ServeurPrincipal kernel: [98396.813317] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:34:67:f0:08:00 SRC=88.182.20.242 DST=46.101.252.195 LEN=52 TOS=0x08 PREC=0x00
TTL=116 ID=8691 DF PROTO=TCP SPT=49439 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 9 21:21:55 ServeurPrincipal kernel: [98460.349155] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:4f:3f:f0:08:00 SRC=219.103.145.210 DST=46.101.252.195 LEN=63 TOS=0x00 PREC=0x0
0 TTL=49 ID=36331 PROTO=UDP SPT=53 DPT=22415 LEN=43
Nov 9 21:22:17 ServeurPrincipal kernel: [98482.582835] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:4f:3f:f0:08:00 SRC=187.160.81.157 DST=46.101.252.195 LEN=40 TOS=0x08 PREC=0x00
TTL=239 ID=9071 PROTO=TCP SPT=7700 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
Nov 9 21:22:21 ServeurPrincipal kernel: [98486.921030] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:4f:3f:f0:08:00 SRC=86.106.206.204 DST=46.101.252.195 LEN=40 TOS=0x00 PREC=0x00
TTL=59 ID=14323 PROTO=TCP SPT=48153 DPT=23 WINDOW=37169 RES=0x00 SYN URGP=0
Nov 9 21:23:10 ServeurPrincipal kernel: [98535.741764] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:34:67:f0:08:00 SRC=106.58.61.90 DST=46.101.252.195 LEN=52 TOS=0x00 PREC=0x00 T
TL=49 ID=24664 DF PROTO=TCP SPT=10890 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 9 21:23:13 ServeurPrincipal kernel: [98538.688650] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:34:67:f0:08:00 SRC=106.58.61.90 DST=46.101.252.195 LEN=52 TOS=0x00 PREC=0x00 T
TL=49 ID=25117 DF PROTO=TCP SPT=10890 DPT=1433 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 9 21:23:25 ServeurPrincipal kernel: [98551.294030] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:4f:3f:f0:08:00 SRC=186.74.137.115 DST=46.101.252.195 LEN=40 TOS=0x00 PREC=0x00
TTL=54 ID=14140 PROTO=TCP SPT=46325 DPT=23 WINDOW=53661 RES=0x00 SYN URGP=0
Nov 9 21:23:43 ServeurPrincipal kernel: [98568.499360] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:df:e0:16:01:40:a6:77:34:67:f0:08:00 SRC=173.255.244.48 DST=46.101.252.195 LEN=40 TOS=0x00 PREC=0x00
TTL=246 ID=54321 PROTO=TCP SPT=53099 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
So... I'm lost ! I don't know what to do and in which direction searching.
Could you help me ? Thanks in advance Paguemaou
Level 122
if you can see others requests in the logs, but not yours, is there something wrong with the dns or you local hosts table?
Level 1
For DNS (/run/resolvconf/resolv.conf) the file was changed two days ago. Is it during server's boot ? I don't understand the resolvconf parameters. Are they standard ?
# ls -l
-rw-r--r-- 1 root root 0 Nov 8 18:00 enable-updates
drwxr-xr-x 2 root root 60 Nov 8 18:01 interface
-rw-r--r-- 1 root root 234 Nov 8 18:01 resolv.conf
$ cat /run/resolvconf/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 2001:4860:4860::8844
nameserver 2001:4860:4860::8888
nameserver 8.8.8.8
$ ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 29 Apr 21 2016 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
The /etc/hosts seems standard :
forge@ServeurPrincipal:~$ more /etc/hosts
# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
# /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 ServeurPrincipal ServeurPrincipal
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Thanks for your help. Paguemaou
Level 4
http://www.fail2ban.org/wiki/index.php/Whitelist
Try to add 127.0.1.1 and your ip to the list:
ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8
Level 1
@actionnm I've found the problem and his solution. The problem : after configuring the firewall rules from Forge's interface, I can't reach my two websites.
When I look at the open ports, only port 22 is open.
command : ufw status
# ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
I only use the Forge interface to add a new Firewall Rule and delete it later.
From Forge's interface, I see :
Active Firewall Rules
Name Port From IP Address
HTTP 80 Any
HTTPS 443 Any
Another clue : when I try to reach my whebsite from the console, it works :
curl -vvv http://my-website-domain.com => response OK
So, ports 80 and 443 are closed. How can I enable them from Forge's interface ?
I've found this in https://forge.besnappy.com/laravel-forge#servers-1259 :
The "Networking" tab also allows you to add or remove custom firewall rules for your server. For most applications, you will not need to change these settings away from their defaults. If you are using a server solely as a database server, you may wish to stop Nginx from the "Stop" dropdown at the bottom right of the server management window. Once you have stopped Nginx, you can delete the firewall rules for ports 80 and 443.
So,
- stop nginx,
- delete the two firewall rules (HTTP 80 and HTTPS 443) from Forge's interface
- add them again
- restart your server
I solved my problem. I can reach my websites again.
Thanks for your help. Paguemaou
1 like
Level 12
it works for me, you make my day, thanks
Please or to participate in this conversation.