VPS信息:digitalocean,ubuntu,用途:托管本博,开vpn.
事件记录
搜索了一圈发现有很多人因为收到DO警告没处理就直接被封了帐号的,所以把我暂时的处理过程整理成一片流水日志,网上的大多数被封的原因都是由于一个用户注册多个帐号所致,我的并不是这个原因.但是看大家的经历果然还是应该换linode么…
20140721:官方发邮件提醒我的帐号有新的ticket.邮件如下:
Oh no! We've found an issue with your account and issued you a new ticket that needs to be addressed as soon as possible. Please login to view the ticket: https://www.digitalocean.com/support Thanks so much, DigitalOcean
登录到帐号发现我的vps因为发送垃圾邮件被反垃圾邮件组织警告了,邮件大体如下:(我把部分邮件信息发上来,以方便遇到同样问题的朋友搜索到.我谷歌搜索邮件内容没有找到任何满意的答案…)
Please review the following abuse complaint and provide us with a resolution: ****************************** Hi Abuse Team, This is an RBL nomination for the following lists of IP addresses that are in the process of being listed to the RBL as a spam source and/or is an originating spam source in progress. -- 中间省去他收集到有人非法使用我的IP地址发垃圾邮件的证据信息 I certify that I have followed the procedures and criteria required for listing these IP addresses in the Trend Micro/ MAPS RBL. ****************************** Please note that generating multiple abuse complaints in a short period of time may lead to your account being suspended.
全文的大概意思就是我的IP地址被人用在发送垃圾邮件上了.(他们不找到这垃圾邮件是谁发送的,后面的邮件中可以看出,怀疑对象包括帐号主人我~),其中提到RBL,RBL是神马?谷歌下才知道
- RBL
RBL全称是REAL-TIME BLANKHOLE LISTS,是国外的反垃圾邮件组织提供的检查垃圾邮件发送者地址的服务
原来反垃圾邮件组织通过RBL查询到我的IP有发送垃圾邮件.于是把报告发送到DO空间商.然后空间商再邮件通知了我,让我处理下.
处理记录
一开始头都大了,我的VPS使用绑定的ssh key登录,把很多东西都禁止了,只装了托管博客和VPN需要的几个软件,怎么会发送垃圾邮件呢?于是我想到可能是我的博客评论邮件通知功能导致的,我的博客评论通知使用了WP-Mail-SMTP插件 + google 的SMTP服务.并没有使用本机的任何SMTP服务,怎么会就发送垃圾邮件了呢?于是我尝试使用我4级都没过,高考不及格的英文问问客服:
hi. I don`t know why happened that,and I am not a hacker. I create my blog use WordPress at here,and use a plug-in ask"WP-Mail-SMTP",the plugin can send email (use gmail SIMP) to some one who make a comments to my blog. Is caused by "WP-Mail-SMTP"?? at now I just stop the plugin Hope you to help me!! Rect 大意: 我不知道为什么会发生这种事情,我不是一个黑客.并不会这种事情. 我使用wordpress在这建了博客,然后使用了邮件插件,插件的功能是给那些评论我博客的人发送提醒邮件. 是由于这个插件的问题么? 我下面该怎么做,希望得到你的指点.
美利坚的办事就是高效,三分钟后那边回复了:
Hello, I understand this can be frustrating as this type of attack is usually a sign that your droplet has been compromised. Cleaning a compromised server can be very difficult and time consuming. I usually recommend copying needed files from the droplet and creating a new droplet from a clean image. If you have backups enabled and have a backup from prior to the attacks, this can be used to rebuild your droplet to an earlier, clean state from the control panel by clicking on your droplet, then Destroy, then Rebuild and selecting your backup. Once you have your new, clean droplet up and running there are a few steps you can take to better secure it. 1.) Set a secure password using the passwd command on your droplet 2.) Set up an iptables firewall https://www.digitalocean.com/community/articles/how-to-set-up-a-firewall-using-ip-tables-on-ubuntu-12-04 3.) Configure fail2ban to protect your ssh server and/or change the port ssh is running on https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04 https://www.digitalocean.com/community/articles/initial-server-setup-with-ubuntu-12-04 Let us know your plan of action for investigating and resolving this issue. 大意: 我明白你的懊恼,这种攻击行为会让你的虚拟主机被破坏(污染?中毒?),清理可能非常困难,建议你删了原来的droplet再新建一个..如果你之前有备份的话 可以直接恢复到之前的. 在你重新建立虚拟主机的时候建议从以下几个方面加强防护: 1. 重新设置主机密码 2. 设置iptables 防火墙 3. 使用fail2ban 保护ssh访问.
邮件虽然说得很明白,,但是对于本身对服务器不精通的我来说,删了重新建一个虚拟主机肯定不是最优方案.于是我目前的处理方案是:
- 重新设置主机密码,不过我用的并不是这个工具,但命令相同
- 重新设置防火墙
- 使用fail2ban 保护ssh访问.
- 设置iptables 完全禁止SMPT
搞定后还要去问问客服我还需要做什么.得到客服的回答是:
That should resolve the issue. If we receive further spam complaints we will inform you. 大意: 这样应该解决了这个问题,如果我们再收到垃圾邮件投诉,我们会再通知你的.
总算松了一口气,对于这个问题的处理暂时到这里,如果还有后续的话 再更新到这里.
我的DOVPS也是这样,我没有多开账户,我试验了一下,只要安装mysql就会被警告