2

Our Network administrator called me today and said there is a flood attack coming from my IP Address.Why is my server do that? Is there any fix for that? Thank you! im new in using ubuntu.

vhin
  • 29
  • What is your server running? Which OS? And which version? It sounds like it's been compromised by either malware or a hacker. It's probably become part of a botnet. –  Aug 04 '15 at 13:51

1 Answers1

6

First you need to see open network connections

netstat -atu -p


(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 xxx:domain              *:*                     LISTEN      -               
tcp        0      0 *:ssh                   *:*                     LISTEN      -               
tcp        0      0 localhost:ipp           *:*                     LISTEN      -               
tcp        0      0 *:microsoft-ds          *:*                     LISTEN      -               
tcp        0      0 *:50277                 *:*                     LISTEN      21497/skype     
tcp        0      0 *:netbios-ssn           *:*                     LISTEN      -               
tcp        1      0 xxx.xxx.xx.x:33429      yyy.yyy.yy.y:ipp        CLOSE_WAIT  19460/opera     
tcp        0      0 xxx.xxx.xx.x:35816      yyy.yyy.yy.y:http   TIME_WAIT   -               
tcp        0      0 xxx.xxx.xx.x:35791      yyy.yyy.yy.y:http   TIME_WAIT   -               
tcp        0      0 xxx.xxx.xx.x:35775      yyy.yyy.yy.yt:http   TIME_WAIT   -               
tcp        0      0 xxx.xxx.xx.x:58245      yyy.yyy.yy.y:https  ESTABLISHED 20773/chrome    
tcp        0      0 xxx.xxx.xx.x:52227      yyy.yyy.yy.y:5228 ESTABLISHED 20773/chrome    
tcp        0      0 xxx.xxx.xx.x:35831      yyy.yyy.yy.y:http   TIME_WAIT   -               
tcp        0      0 xxx.xxx.xx.x:52911      yyy.yyy.yy.y:https  ESTABLISHED 20773/chrome

With this you will see which IP is connected and the pid of the process. Then disconnect service with kill process

sudo kill -9 21497

This will kill skype connection in our example. Kill all connections you don't want on your server

Bring up ufw Ubuntu Fire Wall

sudo ufw enable

After that you can allow host or network to access a service or all resources

sudo ufw allow 22

this rule will allow all to access the server using port 22 aka ssh

sudo ufw allow 80/tcp

will allow web access

sudo ufw allow from 192.168.255.255

will allow all resources. ssh, http, ftp from 192.168.255.255

This is a first step. Based on the type of server, you must allow all traffic for some resource. For mail server you must allow port 25 for mail sending, 80 for web server ...

If your server is a web server, this Q&A has some tips

And for a mail server: How to secure postfix on Ubuntu Server ...

Give us more details for a more precise answer

Community
  • 1
2707974
  • 10,553
  • 6
  • 33
  • 45
  • I fixed the English a little, please feel free to rollback my modifications if you think I changed the meaning of something in your answer – Dan Aug 04 '15 at 14:26
  • 1
    Bring up ufw Ubuntu Fire Wall leaving it like that may mislead the reader into believing that ufw actually stands for Ubuntu Fire Wall (which it does not). – Cthulhu Aug 04 '15 at 14:52