[TriLUG] Need help with fail2ban
Matt Flyer via TriLUG
trilug at trilug.org
Wed Mar 23 09:12:10 EDT 2016
> At any rate, it seems I have a larger issue. One of our sites was
> compromised, and the public IP is now on a world-side Transparent Proxy
> list. I suspect this is why our nginx access.log file had
> hundreds/thousands of connections for sites we donât host (as per my
> original email). Since trying to ban every IP address has become
> pointless, I will just decommission the public IP until it no longer
> appears on the proxy list.
>
> Thanks again for all the help/direction.
>
> -Ron
Ouch. Do you have any idea how the site became compromised? If the
machine was kept up to date on patching, it may be important to make this
determination as there may be an unknown vulnerability.
Unfortunately, this sort of thing is only going to become more and more of
a problem as people, including those without nefarious intentions,
desperately try to find ways to assert privacy into their communications.
I've been seeing a lot of talk, especially in non technical channels,
about people trying to find "free proxy or VPN" access to avoid being
spied upon. I suspect that a portion of these "proxies" are nothing more
than compromised hosts that are being used to relay traffic.
More information about the TriLUG
mailing list