How to find cause of 404

[panit]

I have a client on my dedicated server that uses a program on his PC to connect to his account on the server and make database changes. Prior to a few weeks ago that program never failed. But at that time the server was hit with a SYN-FLOOD attack and since then the program is failing with a 404. But the 404 only occurs on every 5th request. So if his program sends four requests it works fine. But if five or more are attempted it fails. The access log shows the connection from his IP, which is whitelisted in the firewall, and responses of 200 for the first four then a 404 for the firth request. He can try again and it will work for the next five.

It seems like there must be some limit be imposed but SYNFLOOD is turned off in the firewall. Is there some other setting that would cause this? Nothing was changed during the attack, at least not on purpose but the failures only started after it so something on the server is causing the problem.

My hosting provider is saying they want to turn off the firewall to test this but that is way to risky. They don't have any other suggestions and I'm hoping someone here might?

Using
Apache/2.4.54
WHM 104.0.5
Cloud Linux

 

[cPRex]

Hey there! Turning off the firewall for a brief period of time that you have coordinated with the user is a valid test. Other options to consider may be custom settings inside CSF (if you're using that firewall tool) or Apache tools like mod_evasive that deny frequent requests from the same address.

 

[panit]

Thank you very much for your reply. I was not aware that mod_evasive was installed. The date on its file was 2018 so it has been there for a while. But It was not causing a problem with this site prior to the SYN-FLOOD attack so a tech must have enabled it while that was going on.

 

[cPRex]

I'm glad that was it! It's not something that gets installed by default, so it would have had to be manually enabled at some point for a previous issue.