Getting these messages from Site admin. Anything to be concerned about, how do we prevent this?
SUBJECT: its realy today 06/25/2024
Be careful with this message. The sender was not logged in, so their
identity has not been confirmed.
NAME
TDonaldHit
-------------------------
EMAIL ADDRESS
mcksbd@outlook.com
-------------------------
Als Antwort auf Doulos Xavier
Re: Getting these messages from Moodle site to site admin
von Ken Task -
I see an outlook.com address ... probably should think of that like 'lookout.com'!
You can also check your web servers access/error logs for references to the event to see the IP address. Now don't ask me for specifics ... figure it out!
If the IP address seen in logs don't match what you find in Moodle user DB (lastaccess) - investigate the IP address.
whois IPaddress#
from command line is a start.
'SoS', Ken
Als Antwort auf Ken Task
Re: Getting these messages from Moodle site to site admin
von Doulos Xavier -
Thanks! I was able to open the 'access.log' files for the server it shows number of IP's, this one Moodle user DB (lastaccess) seems to be a separate project itself as I don't have a cPanel or Webmin access..
In the error log file I am noticing this
[Tue Jun 25 00:05:32.598914 2024] [php:error] [pid 59661] [client 41.248.170.219:64047] script '/var/www/website/public/.env> Is this a security risk?
I am getting similar type of emails on regular basis, looks like SPAM how do stop this? any ideas?
Als Antwort auf Doulos Xavier
Re: Getting these messages from Moodle site to site admin
von Ken Task -
I suggested using a whois command from your server ... did you do that?
At your document root, do you have a .env file?
41.248.170.219:64047
From your server's command line:
whois 41.248.170.219
whois on that IP address shows:
netname: ADSL_Maroc_telecom
high speed home connection IP
and supposedly from Morocco
From your server's command line - install nmap
then do a quick scan of ports at that IP:
nmap -P0 -p 22,80,443 41.248.170.219
will probably get same as me from my location:
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp filtered http
443/tcp filtered https
In your ubuntu firewall, you could block any traffic coming from that entire
telco network using a rule to drop any traffic from 41.248.0.0/14 (IP address mask taken from whois info).
If you do that, no students/users of your moodle that use that telco will see
your server.
We are mixing two things here ... getting similar type emails ... is another story.
This really has nothing to do with Moodle ... your issues are at the network layer - you just happen to see things in moodle.
Suggest you find some tutorial/info on how to admin a Ubuntu server AND study!
'SoS', Ken
Als Antwort auf Ken Task
Re: Getting these messages from Moodle site to site admin
von Doulos Xavier -
Thanks for the detailed explanation...
Als Antwort auf Doulos Xavier
Re: Getting these messages from Moodle site to site admin
von Mary Cooch -
There is no chance this is related to yoursite/admin/settings.php?section=supportcontact is there? What is your 'Support availability" set to?
Als Antwort auf Mary Cooch
Re: Getting these messages from Moodle site to site admin
von Doulos Xavier -
Hi Mary,
When mention 'Support availability' what are you referring to? Could you clarify?
Regards
When mention 'Support availability' what are you referring to? Could you clarify?
Regards
Als Antwort auf Doulos Xavier
Re: Getting these messages from Moodle site to site admin
von Mary Cooch -
Hello Binoit. See the documentation Support contact
Als Antwort auf Mary Cooch
Re: Getting these messages from Moodle site to site admin
von Doulos Xavier -
Thanks Mary. Yes, I checked it is a different email.
Als Antwort auf Ken Task
Re: Getting these messages from Moodle site to site admin
von Doulos Xavier -
Hi, Ken, I am not able to find .env extension file. My document root is $CFG->wwwroot = 'https://mywebsite'; appreciate your help
Als Antwort auf Doulos Xavier
Re: Getting these messages from Moodle site to site admin
von Ken Task -
Are you asking if a .env file should be there or not. Answer: your apache/nginx server should NOT ... repeat NOT ... serve out ANY ... repeat ANY ... dot file or the contents of a .directory. Moodle code, regardless of how you aquire core code DOES NOT ... repeat DOES NOT ... include a .env file.
Do a google search for .env and you'll read about a .env files usage.
So if you are seeing in error logs an IP address seeking any ... REPEAT ANY .file or contents of a 'dot' directory, they are poking and probing for a weakness - trying to find out if the web server admin is 'stupid' enough to allow!
If I see those, I do a whois on that IP .... and check moodle users table as well to see if an account in the moodle has used that IP address - yes, could have students in a moodle that are poking and probing.
If whois id's that IP address as a server not a computer on a home network, consider blocking that IP at the network layer - that's a firewall rule ... a drop or deny zone.
I would NOT use moodle config to block ... that's at the application layer.
'SoS', Ken
Real example ... just a few minutes ago:
error log:
78.153.140.179 - - [09/Jul/2024:14:44:05 +0000] "GET /.env HTTP/1.1" 404 196 "-" "Mozilla/5.0 (X11; Linux x86_64) App
leWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
404 is access denied.
clips from whois 78.153.140.179
netname: HostGlobalPlus
country: GB
remarks: Geofeed https://hostglobal.plus/geofeeds.csv
I don't care to have my sever participate in GB's geofeeds.
So firewall command - this won't work on Ubuntu box.
firewall-cmd --zone=drop --add-source=78.153.140.179
or the entire block of IP addresses:
firewall-cmd --zone=drop --add-source=78.153.140.0/24
As soon as I enter that in the firewall, my server goes dark to that IP or if I used the route ... ALL ip addresses in the range of 78.153.140.0/24
'SoS', Ken
Als Antwort auf Ken Task
Re: Getting these messages from Moodle site to site admin
von Doulos Xavier -
I was checking access logs the entries are far too many...too may lines with nothing specific in particular.
Als Antwort auf Doulos Xavier
Re: Getting these messages from Moodle site to site admin
von Ken Task -
Als Antwort auf Ken Task
Re: Getting these messages from Moodle site to site admin
von Doulos Xavier -
Hi Ken, thanks for pointing out. I am noticing the following (changed the values for privacy) this is running Moodle 4.0.2 (Build: 20220711)
another website that I manage, it there is a separate setting it is running Moodle 4.1.2+ (Build: 20230318)
the last option 'Limited to authenticated users' is missing
Als Antwort auf Doulos Xavier
Re: Getting these messages from Moodle site to site admin
von Ken Task -
While not a strict rule, it would be best for all, if poster would follow:
New issue - New original posting.
'SoS', Ken
Als Antwort auf Ken Task
Re: Getting these messages from Moodle site to site admin
von Visvanath Ratnaweera -
I too think a course on How to win friends and influence people in a forum (TM) should be made compulsory to attend any Linux training courses.
Als Antwort auf Ken Task
Re: Getting these messages from Moodle site to site admin
von Doulos Xavier -
The first screenshot shows the server (Moodle 4.0.2 (Build: 20220711) where I don't have that feature possibly a feature that was added later, the second server (Moodle 4.1.2+ (Build: 20230318) where I have the feature and it is enabled does not seem to have an issue...Now if this is the case I have to move to newer version which is a project in itself.