• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Nginx error log shows foreign domains pointed to our server.

afuego

afuego

Basic Pleskian
Plesk Certified Expert
Server operating system version
Ubuntu 20.04.5
Plesk version and microupdate number
18.0.49
Last night some our websites went down with 503 errors due to MaxRequestWorkers server limit reached, reviewing the Nginx error log, I noticed about 8 different domains listed as "host" that point to our public IP address.

Why would someone point these domains to our server without our knowledge? How do we lock it down? Should we block the client IP address or the domains?

Nginx error
root@plesk:~# cat /var/log/nginx/error.log |grep "Connection timed out" |tail -1
2023/01/18 05:23:39 [error] 557940#0: *12873929 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 3.89.164.170, server: , request: "GET / HTTP/1.1", upstream: "http://our-internal-ip:7080/", host: "foreigndomain.com"

Apache error
root@plesk:~# cat /var/log/apache2/error.log |grep ServerLimit | tail -1
[Wed Jan 18 05:24:05.421117 2023] [mpm_event:error] [pid 1601908:tid 140030268120128] AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit.

Thank you for your advice!
 
It could be happening by accident because someone on the Internet misconfigured the IP address. But sometimes this could also be a way to attack a server. You can block requests for the foreign domain that are directed to your server by adding this to iptables:

Code: 
# iptables -I INPUT 1 -p tcp -m multiport --dports 80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

Replace "DOMAIN.TLD" with the foreign domain for that you wish to block all traffic.
 
Peter Debik said:
It could be happening by accident because someone on the Internet misconfigured the IP address. But sometimes this could also be a way to attack a server. You can block requests for the foreign domain that are directed to your server by adding this to iptables:

Code: 
# iptables -I INPUT 1 -p tcp -m multiport --dports 80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I FORWARD 1 -p tcp -m multiport --dports 80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

# iptables -I OUTPUT 1 -p tcp -m multiport --dports 80,443,7080,7081,8443,8447 -m string --algo bm --string "DOMAIN.TLD" -j REJECT --reject-with tcp-reset

Replace "DOMAIN.TLD" with the foreign domain for that you wish to block all traffic.
Click to expand...
Why all three? Shouldn't INPUT be enough?
This could take considerable processing power because all packets are screened for the (sub)string, although on the SSL ports you can only get a hit for connections in the SNI phase of the negotiation.
It would probably be more efficient to add the domain(s) as a trigger to fail2ban.
 
mow said:
Why all three? Shouldn't INPUT be enough?
Click to expand...
Yes, it should. But I have seen cases here where the "attack" was actually not started from the outside but from a website on the server itself, asking another server to request more data. For that reason it is best to block all options.

mow said:
This could take considerable processing power because all packets are screened for the (sub)string, although on the SSL ports you can only get a hit for connections in the SNI phase of the negotiation.
Click to expand...
Yes, these rules are using a lot of cpu power alone for the "bm" option. But it is still minimal as there are not many of them.

mow said:
It would probably be more efficient to add the domain(s) as a trigger to fail2ban.
Click to expand...
Please provide the exact steps that are needed for that alternative solution. I certainly agree that doing this through Fail2Ban can also be a good approach. However, my approach stops the issue for sure right now while fail2ban needs configuration and testing time (for a new jail for example). I prefer the "stop it now" solution in such cases, but another solution can also work.
 
Peter Debik said:
Please provide the exact steps that are needed for that alternative solution. I certainly agree that doing this through Fail2Ban can also be a good approach. However, my approach stops the issue for sure right now while fail2ban needs configuration and testing time (for a new jail for example). I prefer the "stop it now" solution in such cases, but another solution can also work.
Click to expand...
I have not used fail2ban myself yet, but from what I gathered it scans the logs for keywords (failed logins, attempts to access certain URLs from exploits ...) and bans the IP associated with it. So if that domainname was added as a bad word it would block any IP attempting to access that domain. That might be a bit harsh, but efficient as an IP filter costs far less CPU than a substring search.

However both approaches won't work for domains that also normally occur in traffic, so one should be careful.
 
You must log in or register to reply here.

Similar threads

S
Issue Plesk not showing correct IPs in error logs and is blocking cloudflare IPs in fail 2 ban resulting in server going down.
Replies
4
Views
928
sulabhpuri
S
B
Issue 704710#0: *18394 upstream timed out (110: Connection timed out) while SSL handshaking to upstream
Replies
1
Views
2K
sans
S
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
2K
HHawk
HHawk
P
Resolved The timeout specified has expired: AH01075: Error dispatching request to : - without URL in my logs - Error 502 - since php 8.2.13 - randomly
Replies
12
Views
14K
phildolyon
P
A
Question Error 500 and no logs available
Replies
8
Views
5K
Jan Bludau
Jan Bludau
Back
Top