Dismiss Notice
It can take 24-48 hours for the hosting/Teamspeak applications to be reviewed. Opening a thread before 48 hours, asking about the application timeline will result in your account and application being deleted permanently.

Mod_Security Setup Tips?

Discussion in 'Free VPS Hosting' started by IEpicDestroyer, Sep 23, 2017.

  1. IEpicDestroyer

    IEpicDestroyer Premium VPS Client

    Messages:
    103
    Likes Received:
    18
    So I plan to set up Mod_Security on my websites. I'd like to use it to avoid hacking attempts on my sites. Does anyone have any tips on setting it up properly so it functions well? I'm mostly just using it to avoid people from messing with the PHPBB forums I have installed.

    Since I have the thread opened, is port 25 still blocked on the VPS even if it's a premium VPS? I'd like to install ISPMail on it but if I can't do anything with it, quite pointless. Right now I relay all my email (either generated by the website or when I write them) by Yandex for Domain and I don't really want to keep using a Russian service so I'm looking for somewhere that I can place a mail server without ever changing the IP on. (Due to moving to another VPS or something like that)
     
  2. Bryan

    Bryan Administrator

    Messages:
    5,986
    Likes Received:
    988
    Port 25 should not be blocked on the Premium VPS. If you find that it is on yours, let me know and I'll fix it.
     
  3. IEpicDestroyer

    IEpicDestroyer Premium VPS Client

    Messages:
    103
    Likes Received:
    18
    Oh good, haven't tested it yet, didn't feel like blankly installing something just to find out that I'm not allow to use it. Thanks!
     
  4. Joe Rodriguez

    Joe Rodriguez Premium VPS Client Premium Hosting Client

    Messages:
    587
    Likes Received:
    409
    Location:
    Sebring, FL
    hmm.. I use Yandex for Domains.. never have had an issue really in the past few years.. other than some improperly translated pages here and there, if they're even translated... well other than some in the US side hating on them for being Russians, the Yandex company's been good to me.. not to mention it's really the only other 'powerhouse' competitor to Google's monopoly.

    In any case.. people with such masterful talent for Vodka can't be all bad??..

    In all seriousness.. mod_sec's been the cause of many of my migraines... I tend to personally depend on access rules to prevent access and proper php coding techniques to avoid injections. But... when I've had to deal with mod_Sec.. this helps me as a quick reference:

    https://www.feistyduck.com/books/modsecurity-handbook/modsecurity-rule-writing-workshop.pdf

    I just outright quit using mod_sec a few years ago when I kept getting 406's for what seemed the most idiotic reasons... ( bug in mod_sec )... kind of forced me to look at alternative ways of doing things.. so sorry if my help doesn't extend further past the pdf link

    But when I did use it.. What would do.. is make a note of the possibly vulnerabilities the individual pieces of software and current versions... write up mod_sec rules to prevent the exploitation of the vulnerabilities... and attempt to exploit it the software myself.

    I avoided the more 'paranoid' pre-built rules u come across in the wild on the internet... too high a chance of screw ups, can get difficult to diagnose if buggy, and I have a very hard time trusting people's abilities.
     
    Last edited: Sep 23, 2017
  5. IEpicDestroyer

    IEpicDestroyer Premium VPS Client

    Messages:
    103
    Likes Received:
    18
    Thought about it, but it's a real hassle setting up my own rules, I might just go with some prebuilt ruleset, know any?

    @Bryan I think emailing is blocked on my VPS. I wasn't even sending on port 25 or tls on port 587, it was transmitting it over port 465 with ssl, which I never run into a issue whatsoever, so could you take a look at it? It's sending the emails to the relay. I tried sending emails to the same email server and it worked from my PC.

    Here's what it displays in PHPBB email errors log:


    E-mail error
    ยป EMAIL/SMTP
    /adm/index.php

    Could not connect to smtp host : 110 : Connection timed out

    Errno 2: fsockopen(): unable to connect to ssl://smtp.yandex.com:465 (Connection timed out) at [ROOT]/includes/functions_messenger.php line 1030

    Could you take a look and fix it for me? I'd like to be able to at least send emails to a relay...

    Edit: tried to telnet into the mail server, also failed, so can't be the forums script glitching out on me:

    root@server7:~# telnet smtp.yandex.com 465
    Trying 2a02:6b8::38...
    Trying 87.250.250.38...
    Trying 93.158.134.38...
    Trying 213.180.193.38...
    Trying 213.180.204.38...
    Trying 77.88.21.38...
    telnet: Unable to connect to remote host: Connection timed out
    root@server7:~# telnet mx.yandex.com 25
    Trying 2a02:6b8::242...
    Trying 213.180.204.242...
    telnet: Unable to connect to remote host: Connection timed out
     
    Last edited: Oct 5, 2017
  6. Bryan

    Bryan Administrator

    Messages:
    5,986
    Likes Received:
    988
    Email should only be blocked on the free VPS. Let me look into this for you and see what I can come up with.
     
  7. IEpicDestroyer

    IEpicDestroyer Premium VPS Client

    Messages:
    103
    Likes Received:
    18
    Thanks, I did not notice the emails were erroring out until today, not every action on PHPBB tells me, it just queues it to be sent and never tells me unless I go check the email error log..

    Edit: apparently mx.yandex.com doesn't accept emails, mx.yandex.ru is the correct hostname. But I still can't telnet into it. But I was trying to send to smtp.yandex.com which is correct.

    root@server7:~# telnet mx.yandex.ru 25
    Trying 2a02:6b8::89...
    Trying 213.180.193.89...
    Trying 77.88.21.89...
    Trying 87.250.250.89...
    Trying 213.180.204.89...
    Trying 93.158.134.89...
    telnet: Unable to connect to remote host: Connection timed out
     
    Last edited: Oct 5, 2017
  8. Joe Rodriguez

    Joe Rodriguez Premium VPS Client Premium Hosting Client

    Messages:
    587
    Likes Received:
    409
    Location:
    Sebring, FL
    The smtp server's hostname must be smtp.yandex.com :D

    From my desktop...
    Code:
    netvip3r@joe-linux:~$ telnet smtp.yandex.com 587
    Trying 2a02:6b8::38...
    Connected to smtp.yandex.ru.
    Escape character is '^]'.
    220 smtp3o.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
    HELO
    501 5.5.4 HELO requires domain address.
    QUIT
    221 2.0.0 Closing connection.
    Connection closed by foreign host.
    
    netvip3r@joe-linux:~$ telnet smtp.yandex.com 465
    Trying 2a02:6b8::38...
    Connected to smtp.yandex.ru.
    Escape character is '^]'.
    
    Connection closed by foreign host.
    netvip3r@joe-linux:~$
    
    I do not have telnet installed in the VPS to test it, so I ran it from my home workstation... comcast blocks my outbound port 25 lol... but smtp accepted and responding.

    But I did port scan 25 from an external source and it was listening

    Perhaps Yandex servers went offline for a bit at that very moment... perhaps.. hey I've tripped over the power cables in a DC before... can get messy
     
    Last edited: Oct 5, 2017
  9. IEpicDestroyer

    IEpicDestroyer Premium VPS Client

    Messages:
    103
    Likes Received:
    18
    Well I verified the issue before posting, I connected via telnet on another and sent a email and it was delivered properly. I wonder if it's trying to send with the internal IP address and the public address I'm assigned is open while the NAT IP is blocked. Could you remove that NAT IP from my VPS @Bryan?

    It's still blocked from my VPS atm, waiting for a fix. Connecting on my tiny dirt cheap VPS from a different host works:

    root@server2:~# telnet smtp.yandex.com 465
    Trying 93.158.134.38...
    Connected to smtp.yandex.ru.
    Escape character is '^]'.
    quit
    Connection closed by foreign host.
     
  10. Bryan

    Bryan Administrator

    Messages:
    5,986
    Likes Received:
    988
    Interesting. I don't know which IP it would be using.

    I just removed the NAT address. Can you try now?
     
  11. IEpicDestroyer

    IEpicDestroyer Premium VPS Client

    Messages:
    103
    Likes Received:
    18
    Just did, probably will timeout, will edit the post after it tries every IP address to show the results.

    It did timeout.. D:

    root@server7:~# telnet smtp.yandex.com 465
    Trying 2a02:6b8::38...
    Trying 213.180.193.38...
    Trying 93.158.134.38...
    Trying 77.88.21.38...
    Trying 213.180.204.38...
    Trying 87.250.250.38...
    telnet: Unable to connect to remote host: Connection timed out
    root@server7:~#
     
    Last edited: Oct 6, 2017
  12. Bryan

    Bryan Administrator

    Messages:
    5,986
    Likes Received:
    988
    I'll keep working on this. For some reason, it just doesn't want to open up.
     
  13. Joe Rodriguez

    Joe Rodriguez Premium VPS Client Premium Hosting Client

    Messages:
    587
    Likes Received:
    409
    Location:
    Sebring, FL
    ok.. this is strange

    I don't think that it's a vNAT issue.... I don't think that the IPv6 payload goes through the same translation and it's failed there too. In any case... NAT's work should be able to 'translate' from the bound IP's o_O .. this is one of those puzzles....

    ok.. I'll install telnet in the VPS.. now I have to try

    I've had this happen to me in the past.. never did peg it down...
    but out of curiosity now.. try [ smtp.yandex.com.tr ]... for some reason that worked before and is how I was able to access this b4 when I had problems on another VPS which had a different network setup. I was suspecting the issue was routing then.. but when I finally got connection, I quit spending time troubleshooting.

    $ telnet smtp.yandex.com.tr 465 / 587
     
    Last edited: Oct 6, 2017
  14. Joe Rodriguez

    Joe Rodriguez Premium VPS Client Premium Hosting Client

    Messages:
    587
    Likes Received:
    409
    Location:
    Sebring, FL
    @Bryan maybe this helps... my VPS connected ok
    Code:
    root@vps2:~# telnet smtp.yandex.com 465
    Trying 2a02:6b8::38...
    Connected to smtp.yandex.ru.
    Escape character is '^]'.
    Connection closed by foreign host.
    
    root@vps2:~# telnet smtp.yandex.com 587
    Trying 2a02:6b8::38...
    Connected to smtp.yandex.ru.
    Escape character is '^]'.
    220 smtp1p.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
    EHLO
    501 5.5.4 EHLO requires domain address.
    QUIT
    221 2.0.0 Closing connection.
    Connection closed by foreign host.
    
    root@vps2:~# telnet smtp.yandex.com 25
    Trying 2a02:6b8::38...
    Connected to smtp.yandex.ru.
    Escape character is '^]'.
    220 smtp2j.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
    EHLO
    501 5.5.4 EHLO requires domain address.
    QUIT
    221 2.0.0 Closing connection.
    Connection closed by foreign host.
    root@vps2:~#
    
     
  15. Bryan

    Bryan Administrator

    Messages:
    5,986
    Likes Received:
    988

    Yours appears to be working fine @Joe Rodriguez . That being the case, his should too. This is really weird. @IEpicDestroyer are you running a firewall or have any iptables rules on your VPS itself?
     
    IEpicDestroyer and Joe Rodriguez like this.
  16. IEpicDestroyer

    IEpicDestroyer Premium VPS Client

    Messages:
    103
    Likes Received:
    18
    This is a bad habit, but I get too lazy to do the firewall rules, in other words, Iptables is blank and should allow any connections (including the long list of connections that Cloudflare seems to make for no reason).

    root@server7:~# iptables --list
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    It's funny that it's not allowing it, does anyone know if any external email server that doesn't run on any usual ports? Want to test if it's just port based blocking or smtp related connections are being blocked.

    @Joe Rodriguez Since you can make a smtp connection, it should work for me too, not sure what went wrong...

    Edit: just remembered Sparkpost accepts connections to their smtp relay on port 2525 so I tried to connect to that to check, connections timed out too for some reason... Tried on another VPS, was able to open a connection to smtp.sparkpostmail.com:2525 so still a issue with the VPS itself..
     
    Last edited: Oct 7, 2017
  17. Joe Rodriguez

    Joe Rodriguez Premium VPS Client Premium Hosting Client

    Messages:
    587
    Likes Received:
    409
    Location:
    Sebring, FL
    only other thing I can think of... is prob your copy of [ /usr/bin/telnet ] itself is acting up... did you compile it yourself or is it from pkg repos? maybe distro?

    mine is from repo running on Debian 9 64bit
     
  18. IEpicDestroyer

    IEpicDestroyer Premium VPS Client

    Messages:
    103
    Likes Received:
    18
    Well I purposely installed it to check, the original issue was on PHPBB failing to send emails. Took me two months to find out... It came from a repo, all I did was apt-get install telnet and it installed for me..

    Went and connected to the route server for HE on telnet:

    root@server7:~# telnet route-server.he.net
    Trying 2001:470:0:cf::2...
    Connected to route-server.he.net.
    Escape character is '^]'.
    *************************************************************************
    ***** route-server.he.net *****
    ***** Hurricane Electric IP Route Monitor *****
    ***** AS 6939 *****
    *************************************************************************

    This router maintains peering sessions with some of the core routers in
    Hurricane Electric's network. Hurricane Electric operates an international
    Internet Backbone and offers transit, colocation, and dedicated servers.

    Location IPv4 IPv6
    --------------------- ---------------- ------------------------
    North America
    Equinix Seattle 216.218.252.176 2001:470:0:3d::1
    Equinix Palo Alto 216.218.252.165 2001:470:0:1b::1
    Equinix San Jose 216.218.252.164 2001:470:0:1a::1
    Hurricane Fremont 1 216.218.252.161 2001:470:0:23::1
    One Wilshire Los Angeles 216.218.252.178 2001:470:0:6c::1
    Equinix Chicago 216.218.252.168 2001:470:0:16::1
    Equinix Dallas 216.218.252.167 2001:470:0:1d::1
    Equinix Toronto 216.218.252.147 2001:470:0:99::1
    Equinix New York 216.218.252.171 2001:470:0:13::1
    Equinix Ashburn 216.218.252.169 2001:470:0:17::1
    NOTA Miami 216.218.252.177 2001:470:0:4a::1
    CoreSite Denver 216.218.252.157 2001:470:0:155::1
    1102 Grand Kansas City 216.218.252.190 2001:470:0:22b::1
    Cologix Montreal 216.218.252.193 2001:470:0:224::1
    Europe
    Telecity London 216.218.252.211 2001:470:0:2cc::1
    NIKHEF Amsterdam 216.218.252.173 2001:470:0:e::1
    Interxion Frankfurt 216.218.252.174 2001:470:0:2a::1
    Telehouse Paris 216.218.252.184 2001:470:0:1ae::1
    Equinix Zurich 216.218.252.153 2001:470:0:10c::1
    TeleCity Stockholm 216.218.252.154 2001:470:0:10f::1
    PLIX/LIM Warsaw 216.218.252.189 2001:470:0:215::1
    Asia
    Mega-I Hong Kong 216.218.252.180 2001:470:0:c2::1
    Equinix Tokyo 216.218.252.151 2001:470:0:10a::1
    Equinix Singapore 216.218.252.179 2001:470:0:169::1
    route-server> quit
    Connection closed by foreign host.

    That connection was okay, not sure what's happening now..
     
  19. Joe Rodriguez

    Joe Rodriguez Premium VPS Client Premium Hosting Client

    Messages:
    587
    Likes Received:
    409
    Location:
    Sebring, FL
    Ok, first off.. I apologize if what I say now seems obvious or even trivial.. but I'm stating it for the benefit of others that may read this aswell with similar problems.

    I'd start with checking to see if the VPS reaches the server first... ( ping should be installed as part of base )

    Code:
    (user)$ ping smtp.yandex.com
    a successful result look something like this...
    Code:
    (user)$ ping smtp.yandex.com -c 8
    PING smtp.yandex.com(smtp.yandex.ru (2a02:6b8::38)) 56 data bytes
    64 bytes from smtp.yandex.ru (2a02:6b8::38): icmp_seq=1 ttl=53 time=168 ms
    64 bytes from smtp.yandex.ru (2a02:6b8::38): icmp_seq=2 ttl=53 time=168 ms
    64 bytes from smtp.yandex.ru (2a02:6b8::38): icmp_seq=3 ttl=53 time=168 ms
    64 bytes from smtp.yandex.ru (2a02:6b8::38): icmp_seq=4 ttl=53 time=168 ms
    64 bytes from smtp.yandex.ru (2a02:6b8::38): icmp_seq=5 ttl=53 time=168 ms
    64 bytes from smtp.yandex.ru (2a02:6b8::38): icmp_seq=6 ttl=53 time=168 ms
    64 bytes from smtp.yandex.ru (2a02:6b8::38): icmp_seq=7 ttl=53 time=168 ms
    64 bytes from smtp.yandex.ru (2a02:6b8::38): icmp_seq=8 ttl=53 time=168 ms
    
    --- smtp.yandex.com ping statistics ---
    8 packets transmitted, 8 received, 0% packet loss, time 7005ms
    rtt min/avg/max/mdev = 168.063/168.165/168.293/0.507 ms
    
    If pinging the server doesn't respond then I'd traceroute it and see which node is the one that's dropping my payload. Traceroute 'follows' an ICMP packet enroute to it's destination. Traceroute is more than likely not installed so:
    Code:
    (root)# apt-get install traceroute
    then...
    Code:
    (user)$ traceroute -6 smtp.yandex.com
    a successful result look something like this...
    Code:
    (user)$ traceroute -6 smtp.yandex.com
    traceroute to smtp.yandex.com (2a02:6b8::38), 30 hops max, 80 byte packets
     1  2604:880:1:1::2 (2604:880:1:1::2)  0.037 ms  0.012 ms  0.010 ms
     2  2604:880:12::41 (2604:880:12::41)  4.110 ms  4.101 ms  4.093 ms
     3  2604:880:20::1 (2604:880:20::1)  0.814 ms  0.868 ms  0.861 ms
     4  2604:880:10::1 (2604:880:10::1)  0.489 ms  0.527 ms  0.523 ms
     5  10gigabitethernet3-1.core1.dal1.he.net (2001:504:0:5::6939:1)  0.440 ms  0.434 ms  0.482 ms
     6  100ge8-1.core1.atl1.he.net (2001:470:0:35f::2)  23.968 ms  26.383 ms  26.560 ms
     7  100ge8-1.core1.ash1.he.net (2001:470:0:114::2)  35.716 ms * *
     8  eqix-dc5.yandex.com (2001:504:0:2:0:1:3238:2)  35.740 ms  35.722 ms  35.707 ms
     9  fra1-b1.yndx.net (2a02:6b8:0:2400::1)  120.582 ms ams1-b1.yndx.net (2a02:6b8:0:1800::100)  114.647 ms  117.272 ms
    10  jansson.yndx.net (2a02:6b8:0:3401::1)  149.621 ms sibelius.yndx.net (2a02:6b8:0:3401::2)  148.654 ms jansson.yndx.net (2a02:6b8:0:3401::1)  149.583 ms
    11  * * *
    12  * * *
    13  sas1-c1.yndx.net (2a02:6b8:0:1a00::2)  166.981 ms  166.921 ms  169.182 ms
    14  smtp.yandex.ru (2a02:6b8::38)  163.741 ms  164.480 ms  163.232 ms
    
    Legend:
    • ( 00 * * * ) = Packet Loss experienced during hop # 00
    • ( ... ) = Destination not reached.. Packet has gone to hell
    This shows you all the nodes that packet hopped across to get to the yandex server.

    Reason I say try this is simply to begin the elimination process... I read the entire thread 'this time' and seen no reference to to the VPS actually completing a connection to yandex of any type.

    Moral of the post:
    • If this fails, this data can show where the point of failure is at (considering no firewall's stopping the ICMP packet ofcourse, which has been stated already that no firewall rules exist).
    • If these 2 succeed, then the problem is in the NAT process somewhere... since we've eliminated the route being broken.

    at the very least... it's more data collected for @Bryan
    ----
    To remove/uninstall traceroute
    Code:
    (root)# apt-get remove traceroute
     
    Last edited: Oct 7, 2017
    IEpicDestroyer likes this.
  20. IEpicDestroyer

    IEpicDestroyer Premium VPS Client

    Messages:
    103
    Likes Received:
    18
    @Joe Rodriguez That's going to be really helpful for others. However, I'm not just testing my connection to the smtp relay, tried other email servers, with no successful connections. I'm able to ping the server, just that I can't make any sort of smtp connections, even if it's going to usual ports (well maybe for some reason 2525 is also blocked, can't be sure).

    ping smtp.yandex.ru
    PING smtp.yandex.ru (213.180.204.38) 56(84) bytes of data.
    64 bytes from smtp.yandex.ru (213.180.204.38): icmp_seq=1 ttl=56 time=190 ms
    64 bytes from smtp.yandex.ru (213.180.204.38): icmp_seq=2 ttl=56 time=190 ms
    64 bytes from smtp.yandex.ru (213.180.204.38): icmp_seq=3 ttl=56 time=190 ms
    64 bytes from smtp.yandex.ru (213.180.204.38): icmp_seq=4 ttl=56 time=190 ms
    ^C
    --- smtp.yandex.ru ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3001ms
    rtt min/avg/max/mdev = 190.819/190.863/190.949/0.050 ms

    Maybe something's scanning my packets for filtering? Or it could still be port based blocking somewhere. I'm able to make telnet connections but can't make any sort of smtp connections. As a temporary workaround, is there a way where I can tunnel connections that's going to that server to my other VPS so at least connections are working-ish. I'd like to fix the real issue however, but I'm completely lost on how this happened...
     

Share This Page