PDA

View Full Version : Is it a virus or an incorrect setup




aicul
May 30, 2013, 12:56 PM
My iMac SL server is acting up. It just slows down dramatically. I mean slow. Real slow. Then autoconnect to the fileserver just does not work. So I have to go to the server and in System Preferences to STOP/START AFP. Then things improve. Only to deteriorate again.

The slowdown is quite random. Sometimes it happens after a few minutes of AFP STOP/START sometimes days. Just a pain.

Initially I looked at the System logs and found many services restarting. I solved that (other thread). But the problem is just returning. So that action was more of a household action but not a solution.

So am asking myself if this is a virus, or some setup error on my side.

Can anyone suggest some investigation paths ?



aicul
May 30, 2013, 01:19 PM
I've looked at the secure log and found these entries:


May 30 20:14:32 server /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[329]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 62.117.105.44 :: Type: VNC DES
May 30 20:15:52 server /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[329]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 62.117.105.44 :: Type: VNC DES


A whois on the IP leads me to Russia !

Who can I kill this access ? I have no idea how to manage the firewall.:eek:

dan1eln1el5en
May 31, 2013, 02:44 AM
"Authentication: FAILED "

They didn't get in.

I managed a few servers, also OS X servers, and this message you will see a lot, as long as it is a failed connection it's ok ;)

a server on the internet should 100% definately use a firewall, and you want to disable VNC access, move SSH from 21 to something else and so on :)

Don't really know about your original problem, but it's not very likely to be a virus, more likely is wrong setup and likely-but-not-really would be someone using your server as a for mailing spam or similar (use firewall)

mwhities
May 31, 2013, 09:16 AM
"Authentication: FAILED "

They didn't get in.

I managed a few servers, also OS X servers, and this message you will see a lot, as long as it is a failed connection it's ok ;)

a server on the internet should 100% definately use a firewall, and you want to disable VNC access, move SSH from 21 to something else and so on :)

Don't really know about your original problem, but it's not very likely to be a virus, more likely is wrong setup and likely-but-not-really would be someone using your server as a for mailing spam or similar (use firewall)

FTP is port 21 - SSH is port 22.

Always use a firewall, never have VNC open to the net. If you don't move SSH to a different port (I didn't) get used to the logs and MAKE SURE you use LONG and SECURE passwords. :)

aicul
Jun 1, 2013, 05:11 PM
I have the firewall active. But that is not the end of the story.

How does one use it ? I mean I understand the basics, but just trying to block an IP address (ie. blacklist) seems close to impossible.

brand
Jun 1, 2013, 11:02 PM
I have no idea how to manage the firewall.


Then you have no business managing a network or server. Network and server security are things not to be taken lightly. You need to pay professionals that actually know what they are doing.


Sorry to be so blunt but it is the truth.

aicul
Jun 2, 2013, 05:08 PM
Hi,

Point taken that is the blunt truth if you have a complex setup.

And lets not forget that Apple is helping making the specialist job real useful, and not for simple setups.

I could also pay a specialist, and then not do anything. I think secuirty is about setup - and continuous control. A specialist rarely gives continuous control.

After all blocking an IP address should not be complex, and not require a educated specialist magician.

Thanks for your input anyway.

Umac-de
Jun 3, 2013, 12:03 PM
google for "fail2ban mac server"...
Out of description:
"Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc)."