The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache is being attacked!

Discussion in 'EasyApache' started by trparky, Dec 23, 2005.

  1. trparky

    trparky Well-Known Member

    Apr 23, 2003
    Likes Received:
    Trophy Points:
    Note to Moderators, if this post doesn't belong here, please move to the appropriate forum and remove this tag.

    We are having a situation in which four of our servers are under a denial of service attack. The way we know this is that when we do a NETSTAT printout, there is like 250 connections of the same IP address all targeting Apache.

    An example of a NETSTAT printout is this...
    tcp 0 519 FIN_WAIT1

    This of course consumes all of the HTTP connection slots and doesn't allow any legitimate traffic to flow to Apache.

    The problem is that we firewall one IP with IPCHAINS and then a couple of hours later, they attack from a different IP. There is no way to predict where they will attack.

    We tried Mod_Evasive with the following settings...
    <IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 30
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 600
    DOSSystemCommand "/sbin/iptables -A INPUT -s %s -j DROP"
    DOSLogDir "/var/log/evasive"
    But that didn't help at all. Nothing in the log file I configured Mod_Evasive to write to.

    Do you have any other suggestions for this issue?
  2. Murtaza_t

    Murtaza_t Well-Known Member

    Jan 24, 2005
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Website Owner
    Well it should be only one site on your server that has been under attact, you can try to find that site in the domlogs of your server, try the following :
    ]# cd /usr/local/apache/domlogs
    ]# grep -l '' * -R
    you will get the list of files that contains that IP in it. You can just cat or tail to see extactly which page on the server is facing attact.... normally these are forums
  3. rpmws

    rpmws Well-Known Member

    Aug 14, 2001
    Likes Received:
    Trophy Points:
    back woods of NC, USA
    I hve seen apache restart from floods lately .. all starting about the last 4-5 days or so. 3 boxes changes. I use the httpd-status and get reading????.... on like 200 lines. I see the same deal with netstat. I block them and they hit me again. My biggest problem is I whois on one of the IPs and it came back as or something to that nature. Never seen a bot take down apache. Not sure what's up myself. Can't find the site that the traffic is coming to's like they are hitting main IP with port 80. Can't delete that domain.
  4. rochen

    rochen Active Member

    Mar 5, 2002
    Likes Received:
    Trophy Points:
    The problem we were having which trparky discussed above, is that they were not simply attacking one IP address. About 10 - 20 different IP addresses bound to each of the servers were being attacked, some of which weren't even hosting websites.

    Anyway, we have put in place some additional firewall rules and we haven't had any problems for around 24 hours now, so fingers crossed that this issue is resolved.

    Merry Christmas to everyone! :)

Share This Page