Is it a virus or an incorrect setup

Discussion in 'Mac OS X Server, Xserve, and Networking' started by aicul, May 30, 2013.

  1. aicul macrumors 6502a

    Jun 20, 2007
    no cars, only boats
    My iMac SL server is acting up. It just slows down dramatically. I mean slow. Real slow. Then autoconnect to the fileserver just does not work. So I have to go to the server and in System Preferences to STOP/START AFP. Then things improve. Only to deteriorate again.

    The slowdown is quite random. Sometimes it happens after a few minutes of AFP STOP/START sometimes days. Just a pain.

    Initially I looked at the System logs and found many services restarting. I solved that (other thread). But the problem is just returning. So that action was more of a household action but not a solution.

    So am asking myself if this is a virus, or some setup error on my side.

    Can anyone suggest some investigation paths ?
  2. aicul thread starter macrumors 6502a

    Jun 20, 2007
    no cars, only boats
    I've looked at the secure log and found these entries:

    A whois on the IP leads me to Russia !

    Who can I kill this access ? I have no idea how to manage the firewall.:eek:
  3. dan1eln1el5en macrumors 6502


    Jan 3, 2012
    Copenhagen, Denmark
    "Authentication: FAILED "

    They didn't get in.

    I managed a few servers, also OS X servers, and this message you will see a lot, as long as it is a failed connection it's ok ;)

    a server on the internet should 100% definately use a firewall, and you want to disable VNC access, move SSH from 21 to something else and so on :)

    Don't really know about your original problem, but it's not very likely to be a virus, more likely is wrong setup and likely-but-not-really would be someone using your server as a for mailing spam or similar (use firewall)
  4. mwhities macrumors 6502a

    Jul 13, 2011
    FTP is port 21 - SSH is port 22.

    Always use a firewall, never have VNC open to the net. If you don't move SSH to a different port (I didn't) get used to the logs and MAKE SURE you use LONG and SECURE passwords. :)
  5. aicul thread starter macrumors 6502a

    Jun 20, 2007
    no cars, only boats
    I have the firewall active. But that is not the end of the story.

    How does one use it ? I mean I understand the basics, but just trying to block an IP address (ie. blacklist) seems close to impossible.
  6. brand macrumors 601


    Oct 3, 2006

    Then you have no business managing a network or server. Network and server security are things not to be taken lightly. You need to pay professionals that actually know what they are doing.

    Sorry to be so blunt but it is the truth.
  7. aicul thread starter macrumors 6502a

    Jun 20, 2007
    no cars, only boats

    Point taken that is the blunt truth if you have a complex setup.

    And lets not forget that Apple is helping making the specialist job real useful, and not for simple setups.

    I could also pay a specialist, and then not do anything. I think secuirty is about setup - and continuous control. A specialist rarely gives continuous control.

    After all blocking an IP address should not be complex, and not require a educated specialist magician.

    Thanks for your input anyway.
  8. Umac-de macrumors newbie

    Jan 9, 2013
    google for "fail2ban mac server"...
    Out of description:
    "Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc)."

Share This Page