My Linode’s IP is on a blocklist. What happened?
The most common causes for an IP address ending up on a blacklist are the following:
- Potentially malicious activity like port scanning or brute force attacks
- Reports of spam coming from your server's IP address
As a first step, you may want to make sure your server is not doing something you're not aware of like brute forcing other servers, scanning other servers or sending out a ton of spam.
You can start investigating this by auditing the following log files and writable directories:
- /var/log/auth.log : Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘last’ command to cross reference recent account logins with this file.
- /tmp : This directory is often used by malicious parties to store files
- Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
- ps aux : Use this command to audit running processes for foreign processes
You might also want to run a tcpdump and look for any unusual traffic. Make sure you exclude your SSH session when you run a tcpdump, otherwise you're going to get a lot of useless output. Here's an example of a tcpdump that excludes your SSH session:
tcpdump -ni eth0 not host $YourIpAddress
You might also want to scan your server for malware with ClamAV.
If you determine your mailing campaign is putting your IP address on a blacklist, we have another great post you may want to check out.
Another possibility is this IP address ended up on a blacklist before it was assigned to you. If that's the case, you'll want to go through the steps to remove your IP address from the blacklist. If you have an issue getting delisted with the RBL administrators or the RBL requires that an ISP contact them for removal, you can open a Support Ticket for further assistance.
As a last resort, Linode Support may consider issuing you a new IP address but please understand this action is the exception and not the rule—every effort to delist the IP must be taken first.
Here's a great tool to check if you're currenty on a blacklist.