The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

First aid for DDOS attack on port 80

Discussion in 'General Discussion' started by sibinkc, Jun 3, 2007.

  1. sibinkc

    sibinkc Member

    Joined:
    Sep 9, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    First aid for DDOS attack on port 80

    We can use the following steps to recover our server from a DDOS attack on the port 80. To do this you must have logged into the server as a root user.



    Step 1 : Install/Configure APF firewall


    a) If there are no firewalls installed on the server please install the same,
    you will get the steps and directions from the following site.

    http://www.webhostgear.com/61.html


    b) Turn on the antidos option (USE_AD) in the APF conf file

    # vi /etc/apf/conf.apf

    USE_AD = 1




    Step 2 : Install/Configure mod_evasive (for Apache 1.3x)

    mod_evasive and mod_dosevasive are the same

    a) Install mod_evasive

    # wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
    # tar -xzvf mod_evasive_1.10.1.tar.gz
    # cd mod_evasive

    # /usr/local/apache/bin/apxs -i -a -c mod_evasive.c
    # /etc/init.d/httpd restart


    b) Also include the following lines in the apache conf file

    # vi /usr/local/apache/conf/httpd.conf

    -------------------------------------------------
    <IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 10
    </IfModule>
    -------------------------------------------------


    c) Restart the webserver

    # /etc/init.d/httpd restart





    Step 3 : Install mod_security

    Normally we can find/install this module from WHM
    WHM >> cPanel >> Addon Modules >> Select "modsecurity " >>save






    Step 4 : Blocking IPs

    a) Find the IPs those have established a connection with the server

    (The following command is the better one to get the IPs, as this will sort the IPs
    according to the number of connections).


    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n


    b) Block them using IPTABLES

    # iptables -I INPUT -s 218.92.207.28 -j DROP
    # service iptables save
    # service iptables restart


    c) Block them on APF too

    # vi /etc/apf/deny_hosts.rules
    <Add the IPs at the end>

    # service apf restart





    Step 5 : Optimizing the httpd.conf file

    # vi /usr/local/apache/conf/httpd.conf

    Change the bellow options as follows, original values are shown in the
    bracket.

    MaxKeepAliveRequests 50 (100)
    KeepAliveTimeout 60 (30)


    Also edit the following options too, according to the situation.

    Timeout
    KeepAliv
    MinSpareServers
    MaxSpareServers
    MaxClients





    Step 6 : Install/Configure 3rd party DDOS prevention tools

    We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack effectively.
    Steps to install this script are as follows.

    # wget http://www.inetbase.com/scripts/ddos/install.sh
    # sh install.sh

    Add the script '/usr/local/ddos/ddos.sh' to cron as follows

    # crontab -e

    */5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1





    Step 7 : Suspend websites

    Check the bandwidth usage of all the domains and suspend the high bandwidth consuming domains for a while





    PERMANENT WAY TO FIX THE DDOS ATTACK

    As we all know the softwares have its own limitations for preventing against DDOS attack, we can follow these steps to cure it permanently.

    1. Ask the NOC for attaching Cisco Guard on the server for 24 hours
    (Normally this service is free from most NOCs)

    2. Attach a hardware firewall for the server



    Hope this will help you in such a situation :)
     
  2. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Some good tips there. :)
     
  3. persianwhois

    persianwhois Well-Known Member

    Joined:
    Apr 18, 2007
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mahallat
    cPanel Access Level:
    Root Administrator
    Great :)
    Usefull topic.
     
  4. persianwhois

    persianwhois Well-Known Member

    Joined:
    Apr 18, 2007
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mahallat
    cPanel Access Level:
    Root Administrator
    here is my evasive config.
    Is this true?

    <IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 100000
    DOSEmailNotify mydos@hostserver24.us
    </IfModule>
     
  5. sibinkc

    sibinkc Member

    Joined:
    Sep 9, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    #5 sibinkc, Jun 15, 2007
    Last edited: Jun 15, 2007
  6. Tina

    Tina Well-Known Member

    Joined:
    Jan 27, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Hello and thank you for your contribution.

    I am wondering will Install/Configure 3rd party DDOS prevention tools conflict in any way with the CSF add-on by Chirpy (Johnathan) ?
     
  7. sibinkc

    sibinkc Member

    Joined:
    Sep 9, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi Tina,


    In my observation no.... if you feel so we can uninstall the 3rd party tool by simply downloading the following file and run the same.

    http://www.inetbase.com/scripts/ddos/uninstall.sh

    Also remove the relevant cron manually using 'crontab -e'
     
  8. persianwhois

    persianwhois Well-Known Member

    Joined:
    Apr 18, 2007
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mahallat
    cPanel Access Level:
    Root Administrator
    How can test mod_evasive? test for work fine or not.
     
  9. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Viewing the documenation and the conf file for ddos deflate it appears it is designed to work in conjunction of APF.
     
  10. persianwhois

    persianwhois Well-Known Member

    Joined:
    Apr 18, 2007
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mahallat
    cPanel Access Level:
    Root Administrator
    Best value for evasive and ddos

    Hello,
    What is best value for ddos.conf:
    Code:
    ##### Number of seconds the banned ip should remain in blacklist.
    BAN_PERIOD=1800
    and mod_evasive:
    Code:
    DOSBlockingPeriod 1800
    Help me please. i touch default value!!!
     
  11. persianwhois

    persianwhois Well-Known Member

    Joined:
    Apr 18, 2007
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mahallat
    cPanel Access Level:
    Root Administrator
    unable to install anti dos program

    Hello,
    some file of previous anti dos program removed and i try to install again.
    but i am unable to install anti dos.

    [root@server ~]# wget http://www.inetbase.com/scripts/ddos/install.sh
    --08:44:51-- http://www.inetbase.com/scripts/ddos/install.sh
    => `install.sh'
    Resolving www.inetbase.com... 205.234.99.83
    Connecting to www.inetbase.com|205.234.99.83|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1,067 (1.0K) [application/x-sh]

    100%[====================================>] 1,067 --.--K/s

    08:44:54 (84.80 MB/s) - `install.sh' saved [1067/1067]

    [root@server ~]# sh install.sh


    Please un-install the previous version first

    How can un-install the previous version?
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,471
    Likes Received:
    199
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  13. persianwhois

    persianwhois Well-Known Member

    Joined:
    Apr 18, 2007
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mahallat
    cPanel Access Level:
    Root Administrator
    i need to run /usr/local/ddos/ddos.sh with cron every 1 second.
    Please make a cron for me.
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,471
    Likes Received:
    199
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  15. pacificw

    pacificw Well-Known Member

    Joined:
    Aug 26, 2007
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    nice info, well documented.

    the one sure fire way to make sure you don't end up
    with a ddos on port 80 is not to tick off the person
    with a botnet. :P
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,471
    Likes Received:
    199
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  17. pacificw

    pacificw Well-Known Member

    Joined:
    Aug 26, 2007
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    thanks for the article infopro.. was quite interesting. I couldn't agree more there is NO good reason for a ddos attack. back in the late 80's early 90's I had quite a successful hosting biz. we ran for close to 9yrs straight. until some little punk kids came down the block once and found out that I was a "woman" and they couldn't stand the thoughts of a hosting biz being ran by a woman.. I ended up getting ddos'd so badly, after 9 months and thousands later in high BW bills I had to shut down. Back then, we had no fancy software or deluxe hardware firewalls to stop such attacks. Most times, all we could do was remove the IP or shut the box off completely until it was over with.. usually after a hour or so of them hammering a dead connx they'd quit. But they'd watch and wait for it to come back up and start up all over again. I lost not only what I enjoyed but financially it ruined me. I did end up working with the local FBI unit for months afterwards helping them detect and shut down other botnets.. ironic the one that attacked me was attacked themselves :) and were finally put out of the botnet biz by someone else. oh well, there is justice at times..

    sorry for the OT.
     
  18. CaMer0n

    CaMer0n Well-Known Member

    Joined:
    Nov 8, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
  19. persianwhois

    persianwhois Well-Known Member

    Joined:
    Apr 18, 2007
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mahallat
    cPanel Access Level:
    Root Administrator
    Help Me!

    Oh my god! our server is down for 3 days. :(
    ATtacker f*** me. i install APF, mod_evasive, anti dos and ciscso hardware firewall for block dos attack!
    but attacker dos my server and down this.
    POP, FTP stop and not start. i think pop and ftp attacked!
    Why red section has no IP?!

    POP3 traffic (netstat):
    1 217.219.17.71
    170

    FTP trrafic (netstat):
    1 0.0.0.0
    1 217.219.94.229
    1 62.193.19.66
    3 82.208.10.21
    7 68.115.187.125
    8 66.228.119.70
    28 67.55.128.183
    46



    Some top http in one time:
    125.137.87.169 with 752 connections
    122.47.129.60 with 535 connections
    219.254.39.204 with 525 connections
    218.39.193.100 with 512 connections
    83.28.167.121 with 221 connections
    88.212.7.35 with 485 connections
    211.211.50.123 with 386 connections
    219.248.42.90 with 617 connections


    APF block 25 ip per second. attack verey heavy!
    Please hel me to resolve this problem/
     
    #19 persianwhois, Oct 5, 2007
    Last edited by a moderator: Oct 6, 2007
  20. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,471
    Likes Received:
    199
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Indeed. Great stuff. More people should use this.
     
Loading...
Similar Threads - aid DDOS attack
  1. Arkaic
    Replies:
    3
    Views:
    205

Share This Page