Problems with server attacks on port 80

kostianev

Member
Dec 28, 2015
10
3
3
Bulgaria
cPanel Access Level
Website Owner
Dear, we expect very big problems with server attacks. We receive a lot of attacks via http on port 80 and our server stop working. Maybe DdoS attacks or something like this. First we receive the attacks from Turkey, after we blocked all networks there to access the web server, now this morning we receive attacks from Germany.

How can we make defense for this attacks, because we have a lot of clients website on our server and they stop working for a while every day for few times. I take a look of the WHM administration and see this log in process daily:

Code:
/usr/lib/jvm/jre-1.8.0/bin/java -server -Xms512m -Xmx512m -XX:NewRatio3 -XX:SurvivorRatio4 -XX:TargetSurvivorRatio90 -XX:MaxTenuringThreshold8 -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:ConcGCThreads4 -XX:ParallelGCThreads4 -XX:+CMSScavengeBeforeRemark -XX:PretenureSizeThreshold64m -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSInitiatingOccupancyFraction50 -XX:CMSMaxAbortablePrecleanTime6000 -XX:+CMSParallelRemarkEnabled -XX:+ParallelRefProcEnabled -XX:-OmitStackTraceInFastThrow -verbose:gc -XX:+PrintHeapAtGC -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -Xloggc:/home/cpanelsolr/server/logs/solr_gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles9 -XX:GCLogFileSize20M -Dsolr.log.dir/home/cpanelsolr/server/logs -Djetty.port8984 -DSTOP.PORT7984 -Dhost127.0.0.1 -Duser.timezoneUTC -Djetty.home/home/cpanelsolr/server -Dsolr.solr.home/home/cpanelsolr/server/solr -Dsolr.install.dir/home/cpanelsolr -Xss256k -Dsolr.autoSoftCommit.maxTime3000 -Dsolr.log.muteconsole -XX:OnOutOfMemoryError/home/cpanelsolr/bin/oom_solr.sh 8984 /home/cpanelsolr/server/logs -jar start.jar --modulehttp

If this is something connected with this problem, can someone help us?
 
Last edited by a moderator:

ES - George

Well-Known Member
PartnerNOC
Jun 12, 2011
178
25
78
UK
cPanel Access Level
DataCenter Provider
Twitter
The Java process you mentioned here is completely normal. It's part of cPanel, the below links re-enforce this:

64 Release Notes - Version 64 Documentation - cPanel Documentation
What is cpanelsolr? How did it get installed?

To the matter in hand:

I'd recommend checking your domlogs (domain logs) which may reveal something helpful if a specific domain is being targeted. You can find them at /usr/local/apache/domlogs/. It could be something as simple as an old and forgotten file being hit by bots (we had this just last week with a customer) or an attack that's specifically targeted at a domain (possibly DDoS, like you said). It wouldn't be fair of me to lead you up the garden path any further though, as there could be any number of things going on here.

There's options available which can help to mitigate the effects of attacks, such as CSF (ConfigServer Firewall), CloudFlare, etc. However, I would really suggest getting a better understanding of what the issue is first.

If you're completely unsure of where to look, my suggestion would be to consult with qualified systems administrators, who, at the very least, should be able to provide you with an understanding of exactly what's going on:

System Administration Services | cPanel Forums
 

kostianev

Member
Dec 28, 2015
10
3
3
Bulgaria
cPanel Access Level
Website Owner
Thank you for the replay.
The requests are of this kind:

IP- - [04/Dec/2018:08:27:00 +0100] "GET /?803 HTTP/1.1" 408 221 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
IP - - [04/Dec/2018:08:27:00 +0100] "GET /?1228 HTTP/1.1" 408 221 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,753
311
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
The logs indicate an out of memory error, which is not unexpected if you are getting a DoS attack.

There really isn't a ton that can be effectively done at the server level. If you have sites that are very prone to these kinds of attacks, you should probably use a service like cloudflare.com to protect them.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
The response by both @ES - George and @GOT here are both correct. Ultimately if you're unsure the previous suggestion to seek the assistance of a qualified system administrator would be the best route.

Thanks!