The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server under attack need to stop now

Discussion in 'General Discussion' started by fishfreek, Oct 29, 2007.

  1. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    For the last 24 hours I have been fighting an apparent DOS attack on a domain I have hosted. This attack is calling for very strange URL's and I was using mod_security and I need to figure out a rule set that will block these requests.

    Now I an somewhat unsure if mod_security is even installed and working now after I rebuilt apache last night.

    The requests are multiple requests per second from multiple IP's. Seems like I could ban ips from now until next year with no help. The requests look like this.
     
  2. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    In my opinion you should put in your firewall a rule to block all ips and let just one or two subnets such as the one from you and your customers(contry)

    then you can narrow this down with more calm

    your log seems to be in a different charset ?

    if this DDOS is directly to apache you can turn apache off for a couple of time while you prepare your firewall

    if the incoming mbits are more than 10 then you should contact your NOC or Datacenter to see if they can help with a packet nullifyer

    regards

    claudio
     
  3. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    Thank you for your response. I dont know if I can easily block al IP's other than my clients as they are all operating web services that need to be open to the entire US and internationally. The IP's that these calls are comming from do not appear to be from a single country either.

    The charset that your describing is I guess from my initial message. That is exactly how the web requests appear in the apache status adn in the web logs itself. Here is another example

     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    If you can't readily block via a mod_security rule you should at least try to see if blocking via IP helps at all. We had a attack a few months ago and only needed to block 20 IPs until we got control of it. Later on we came up with a better method but it's likely you can at least reduce impact from a small botnet with just ip rules for now.
     
  5. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    chrirpy's CSF/LFD will watch for multiple offending IPs in the mod_sec logs and block them for you at the IP level. It will block all access from those IPs. works great
     
  7. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    I have mod_security working again but I dont understand enough about the ruleset to create a rule to block these requess. I see some of these requests being blocked at the mod_security level but they seem to only be requests where the % sign is repeated in the get request. all the other caracters that might be used dont get blocked so I dont know how to write the rule.

    Im interested in chrirpy's CSF/LFD. I have apf firewall installed now and use the bfd service to monitor other logs and always wanted to somehow initergrate the bfd with the mod_security log. this CFS/LFD might work once I can figure out how to compose some mod_security rules.So far I have just the standard WHM/Cpanel supplied rules enabled.
     
  8. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
  9. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    that one has some goodeis in it :) it's almost as big as mine but this one has stuff in it that I am going to use. Nice find!!!
     
  10. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    It did seem to catch some more of those requests but not all of them. Indeed it seems to do alot an i plan on continuting to make sure its not to agressive.
     
  11. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    oldthread but ... how do I

    Is it possible to have the server ignore an ip range?
    We have a client that makes multiple requests to their own box...
    some wget / lynx and a few others

    is there a way to ignore their ip range for this?

    generally most of our stuff use hardware firewalls but that is out of this clients budget
    ...
     
    #11 hostmedic, Jan 2, 2008
    Last edited: Jan 2, 2008
  12. troxalias

    troxalias Well-Known Member

    Joined:
    Nov 21, 2001
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Athens - Greece
  13. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    dos_evasive mentioned can be useful, this script is a tad better though ... http://deflate.medialayer.com/ (configure it to allow 300 connections, anything over that from asingle IP will get blocked)

    Mod-security would help, but if you don;t know if it is installed or working that's another issue, you could use the ruleset (with automated daily updates) at gotroot.com but they tend to be very anal and can cause more trouble. If you get mod_security installed there are some good rulesets out there, we are proactive and watch for errors that can be used to formulate new rulesets.

    If you don't have a software firewall isntalled such as CSF then you have to get that done asap (its almost totally irresponsible not to), someone mentioned that CSF will block IPs that trigger mutliple mod_security triggers, but that is dependent on you having a decent of mod_sec rules in place. CSF can also help block DoS attacks as Dos-delfate does and dos_evasive is supposed to. You will need to have IPtables installed for CSF to work though.

    There is nothing to stop you from using all of these at the same time, in fact it would be more prudent for you to do so.

    The fact that you have implied uncertainties where your security is involved suggests that you really need to get a grip on that and learn what to install (rebuilding apache is not likely to help), how to configure it and what to do next (starting from your httpd and php configuration down to DoS protection and firewall). There are an awful lot of people running servers and VPSs poorly that cause the rest of us more trouble because they do not get to grips with their security. If you don't act now, you may end up with a highly compromised box or VPS which will cause you more hair loss than anything.

    You didn't mention if you are running a deciate server or a VPS.
     
  14. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    A server can, of course, ignore an IP range, or ignore faults from an IP range. If you mean ignore false errors from mod_security, CSF has a file csf.allow which you can list IPs in, or add to them with the command "csf -a IPADDRESS optional-comment-text"

    Once an IP is allowed it will never be blocked by CSF, although CSF [actually LFD] will complain a little!
     
    #14 brianoz, Jan 6, 2008
    Last edited: Jan 6, 2008
  15. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    guys against real DDoS .. with ddos evasive .. mod security and all you want to install.. you will do nothing.. the box will bringing down again and the story will be repeated.

    You must ask to your provider if they can configure and give you a Firewall hardware to mitigate this issues.


    you cante rate limit your serivces ports.. will be decrease the attack but...if the ddos still continue and is really a ddos .. i recomend you go with a good provider with DDoS protections to deal whit this.
     
  16. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    i second this.

    a box cannot handle more than 20 000 ips blocked, and work properly. and when i mean a box, i am talking about a quad core2duo with 4 gb ram, so take it as a point of reference.

    the max i could have it was 25 000 ips blocked, and the service to be somewhat normal. other than that ... you're offline. so ... isp + hardware firewall.
     
Loading...

Share This Page