Bad gateway hack help

Question

I was running rocket.chat and everything was fine but then I got a bad gateway message on my site.

I checked and the status was active and green. But I got this message too
“Received disconnect from IP ADDRESS #### port ####: Bye Bye [preauth]
Disconnected from invalid user NAME IP ADDRESS #### port #### [preauth]

And this goes on and on. Any help is very much appreciated !!!!

Answer 1

KFSys July 14, 2020

Hi @workshopdebate,

It is likely that the attacker is using some custom code to brute-force the server which is ending up in malformed authentication requests being sent, resulting in the server killing the connection. So from the code it appears they are in fact trying to login, but the server doesn’t like how they’re attempting that.

As such, these log entries aren’t anything to worry about unless you think you are likely to be a targeted victim for any reason (in which case you should be taking extra precautions such as refusing password-based logins).

Anyway, I’ll suggest you install fail2ban or any other service that helps you with such attempts.

Regards,
KFSys

Reply Report

workshopdebate July 15, 2020

Hi KFSys,

Thank you so much for your quick reply! I really appreciate it and will definitely look into fail2ban!

I did a little further investigating and learned that rocket.chat had an update and I think that the update may have broken my droplet. Also, I realized that I was wrong in my original post–my rocket.chat was not running originally but the SSH was. I got the rocket.chat fixed and it is back up and running, but do you think that what I described in my original post was not in fact, someone attempting to attack, but perhaps more so related to the update/broken deployment? Or do you think it was more likely an attacker and it was just a coincidence that the update broke the deployment?

Thanks so much for your time and consideration! I really appreciate it!!!

Best,
M
Reply Report
- KFSys July 15, 2020
  
  Hi @workshopdebate,
  
  Depends on the IP address you’ve seen. If it was the one of the droplet then yes, it’s related to the broken deployment. If it’s a different one I would assume it’s on a random bot trying to access your application in a bad way.
  
  Reply Report
  
  workshopdebate July 16, 2020
  
  Gotcha! Thanks so much!!
  
  Reply Report

Answer 2

workshopdebate July 15, 2020

Hi KFSys,

Thank you so much for your quick reply! I really appreciate it and will definitely look into fail2ban!

I did a little further investigating and learned that rocket.chat had an update and I think that the update may have broken my droplet. Also, I realized that I was wrong in my original post–my rocket.chat was not running originally but the SSH was. I got the rocket.chat fixed and it is back up and running, but do you think that what I described in my original post was not in fact, someone attempting to attack, but perhaps more so related to the update/broken deployment? Or do you think it was more likely an attacker and it was just a coincidence that the update broke the deployment?

Thanks so much for your time and consideration! I really appreciate it!!!

Best,
M
Reply Report
- KFSys July 15, 2020
  
  Hi @workshopdebate,
  
  Depends on the IP address you’ve seen. If it was the one of the droplet then yes, it’s related to the broken deployment. If it’s a different one I would assume it’s on a random bot trying to access your application in a bad way.
  
  Reply Report
  
  workshopdebate July 16, 2020
  
  Gotcha! Thanks so much!!
  
  Reply Report

Related

Question

Bad gateway hack help

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Bad gateway hack help

Related

Leave a comment

Related

question

How do I increase the client slots on my TS3 server?

question

Is it possible to port forward? If so, is it allowed to host a gameserver?

question

How to install steamcd/garry's mod server?

question

Is there any plan to expand in EU?

Looking for something else?