Hello,
I am running ClearOS ( I wish I can tell what version it is. Probably close to the latest version ) for our website and email. I have been running ClearOS successfully although it sometimes hangs up on running clamscan. Recently I have noticed that our server is being attacked a lot through SSH or through DDOS. So, I recently installed an App called Attack Detector through WebConfig and while I was at it I also decided to clear out all them 3,300 failed login attempt by hackers or attackers warning messages. Well, when I initiated the command by clicking on clear log, ClearOS threw up a message box saying that what I am about to do can have negative effect and that the administrator has taken all the necessary step to avoid any issues or something along that line. I don't exactly remember the message. It was like 20 sentences long paragraph. Anyways, I thought to myself, "I am only clearing out the log, What can go wrong." Well, as soon as I clicked on the confirm button, there was a pause or clearos webconfig froze for about a minute and followed by completely freezing up. Even though I was able to click on other options, ClearOS webconfig completely did not respond. Then, I decided to logout and log back into WebConfig. Once I logged out, I have NOT been able to log back in at all since last week. Apparently, ClearOS WebConfig is checking my login credentials. When I enter a wrong passcode, it returns with login failed within 10 seconds. If I enter the correct user and passcode, it just sits there spinning the wheel forever and sometime it times out.
So, What have I done so far? I shutdown and rebooted our computer system running ClearOS and that didn't fix my issue. I rebooted the Internet router or modem and rebooted ClearOS system and that didn't help either. I am at a loss as to how to fix this issue. The last thing to do would be to get into the system using SSH. However, we always disable SSH port when we are done with whatever we are doing on the server before logging out for safety reason. That means I can't even log into SSH on a terminal. The odd thing about this ordeal is that our website works and email server works NO PROBLEM. We can access our website and it responds with no delay. Our Email server works as well; we can send and receive emails.
I am very STUCK. I hope someone could help me or give me hints as to resolve this issue on our ClearOS server.
Thank you,
I am running ClearOS ( I wish I can tell what version it is. Probably close to the latest version ) for our website and email. I have been running ClearOS successfully although it sometimes hangs up on running clamscan. Recently I have noticed that our server is being attacked a lot through SSH or through DDOS. So, I recently installed an App called Attack Detector through WebConfig and while I was at it I also decided to clear out all them 3,300 failed login attempt by hackers or attackers warning messages. Well, when I initiated the command by clicking on clear log, ClearOS threw up a message box saying that what I am about to do can have negative effect and that the administrator has taken all the necessary step to avoid any issues or something along that line. I don't exactly remember the message. It was like 20 sentences long paragraph. Anyways, I thought to myself, "I am only clearing out the log, What can go wrong." Well, as soon as I clicked on the confirm button, there was a pause or clearos webconfig froze for about a minute and followed by completely freezing up. Even though I was able to click on other options, ClearOS webconfig completely did not respond. Then, I decided to logout and log back into WebConfig. Once I logged out, I have NOT been able to log back in at all since last week. Apparently, ClearOS WebConfig is checking my login credentials. When I enter a wrong passcode, it returns with login failed within 10 seconds. If I enter the correct user and passcode, it just sits there spinning the wheel forever and sometime it times out.
So, What have I done so far? I shutdown and rebooted our computer system running ClearOS and that didn't fix my issue. I rebooted the Internet router or modem and rebooted ClearOS system and that didn't help either. I am at a loss as to how to fix this issue. The last thing to do would be to get into the system using SSH. However, we always disable SSH port when we are done with whatever we are doing on the server before logging out for safety reason. That means I can't even log into SSH on a terminal. The odd thing about this ordeal is that our website works and email server works NO PROBLEM. We can access our website and it responds with no delay. Our Email server works as well; we can send and receive emails.
I am very STUCK. I hope someone could help me or give me hints as to resolve this issue on our ClearOS server.
Thank you,
In Webconfig
Share this post:
Accepted Answer
Adding a rule at the command line is temporary and will disappear when the firewall next restarts, so at least when you change any firewall rule in the webconfig and at other times. If you want to remove it immediately from the command line, change the "-I" to a "-D" in the command.
If the machine is on your LAN, if you want to open it to your LAN only you could try a custom firewall rule like:
If the machine is on your LAN, if you want to open it to your LAN only you could try a custom firewall rule like:
$IPTABLES -I INPUT -s your_LAN_subnet -p tcp -m multiport --dports 22,81 -j ACCEPT$IPTABLES -I INPUT -s your_LAN_subnet -j ACCEPTResponses (10)
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
Disabling the port in the Incoming Firewall only disables it to the External interfaces. It should still work on any LAN interfaces (but not HotLAN). Are you by any chance in Standalone with Firewall mode? If you are, closing the Incoming firewall would disable SSH access.
Yep... I am running ClearOS in Standalone with firewall mode. Also, you are right about SSH Access. Now, it looks like everything is working as it should. I believe this issue was brought up, because I cleared the log. There must've been one too many to begin with and Attack Detector app also was posting events at the same time event.db was cleared. Hopefully, this won't happen again.
Thanks, -
Accepted Answer
Hi NIck,
I ran your commands. First, I enabled port 22 like you said and followed by other commands relating to clearsync. Now, it let me login to WebConfig, although it is still sort of sluggish.
Now, how do I disable port 22 using the same terminal command? Even though I enabled port 22 through terminal command, it wasn't reflected in the WebConfig under Firewall -> Incoming firewall. It still said port 22 disabled. Should I also stop Attack Detector?
By the way since I installed Attack Detector, 90% of the spam we use to get is GONE.. lol... Hopefully, Attack Detector app is not slowing down the ClearOS by adding events in the events.db file every 5 seconds...
I want to put everything back to the way it was before.
Thank you for all the help, Nick. -
Accepted Answer
-
Accepted Answer
When I was able to login through webconfig, I always disabled port 22 by clicking firewall -> incoming connection... there, I disabled it by click disable button. I do that right after completing my tasks before I logout of the system for safety reason.
Yes, I can't get to it from LAN. Also, tried it at the Computer System by selecting start terminal in graphical interface option or mode. It brought WebConfig login page. So, I tried to login as root and still it just sat there for over 10 minutes. At that point, I restarted the computer system.
Let me run the commands you suggested and will let you know how it goes.
Thanks, -
Accepted Answer
How have you disabled it? It is normally open to the LAN whatever and you need a custom rule to disable it. To open it up to everywhere just type:
Are you sure you can't get to it from the LAN?iptables -I INPUT -p tcp --dport 22 -j ACCEPT
You can also do the other commands from the console, but for ease you may want to break it down into its three commands:systemctl stop clearsync
rm -f /var/lib/csplugin-events/events.db
systemctl start clearsync -
Accepted Answer
Hi Nick,
Since I can't log into webconfig and SSH port 22 is disabled, the only option I have is hooking up a monitor, keyboard and mouse at the ClearOS Webserver computer system. So, that's what I did. I was able to login as root and get into the system's files and folders. Is there anything I can do with this setup?
How do you enable or open ports that are disabled or closed under firewall? My port 22 is disabled. I need to enable it. -
Accepted Answer
You know at the top right hand corner there is a drop down button (Screwdriver). It had round red dot with a message 3,300 login attempt fails. I never cared to do anything about it until last week. I simply clicked on the red dot and one of the option it had was Clear logs or something like that. I clicked on it. Then, it took me to a page where I can select what actions to take. One of that was "clear log." I check marked it and clicked on run command. That's when it popped up with a warning message and requested me to CONFIRM my action.
This log is not for Attack Detector. This log is for the whole ClearOS. I only mentioned Attack Detector app, because that's one of the thing I did before running into this issue. I thought maybe someone might remember something related to this issue working with the app.
The problem with running terminal command on SSH is that the SSH port is disabled. So, I can't login to the system through SSH. -
Accepted Answer
I am totally unclear on where you were and what you did to clear the attack detector logs. I am now aware of any way of doing that through the webconfig. Or are you talking about the red round/oval box on the top right of all screens by the screwdriver and spanner button? These are the event messages and you can acknowledge them. The fastest way to clear them is with the following one-liner:
I run this monthly from /etc/cron.monthly, but you can do it from the command line when you want.systemctl stop clearsync && rm -f /var/lib/csplugin-events/events.db && systemctl start clearsync
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »