The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spiders/Bots crashing server - load 675!

Discussion in 'General Discussion' started by jeroman8, Mar 17, 2005.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    When I check the logs for the account that is being attacked, latest 300 visitors,
    it always show the agent "xoxoxoxoxo".

    The iP adress is not the same all the time.
    There's like 10K hits with one IP and then 3K hits with another and it doesn't
    help blocking these IP's.
    The attack came back today after 7 day rest.

    When suspendning this account or just stop apache the load is fine.
    I have tried using robots.txt to block but it doesn't help.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    What makes you think it's a spider? Sounds more like a DDOS to me. Have you tried installing mod_dosevasive which should help out considerably with this type of attack.
     
  3. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    No, is this in WHM addons ?

    User agent is: OXOXOXO
    I was thinking of doing this in mod_security:
    SecFilter HTTP_USER_AGENT "OXOXOXO" nolog,redirect:http://www.whatever.com

    or a block instead of redirect but don't know how...!?

    I have APF firewall and tehre's supposed to be DOS protection.
    I enabled it but it doesn't help.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  5. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Thanks - I installed it and it is working but it couldn't handle
    the attack very well. I had to remove the 2 domains attacked to
    get the load down.

    I did see a lot of entries in TMP like:
    dos-81.230.183.128

    Is there a log file somewhere ?

    Guess the 403 pages still made the load high.
    Should block the IP's instead in firewall or iptables.....well,
    I'm not good at this.

    Does a good Firewall take care of ddos attacks ?

    The attacker had different IP's all the time so I guess it's
    hard to protect against this shit.
     
  6. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    As far as I know, mod_dosevasive can be integrated with apf to permanently block those attacks. refer to mod_dosevasive documentation and I'm sure you'll get around it :)
     
  7. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    To be more helpful, I did some googling and came out with this :

    - Edit your httpd.conf 'usualy in /etc/httpd/conf/httpd.conf'
    - Add the following lines :

    - Save and exit your httpd.conf
    - From the shell run 'visudo'

    Now, Add the following line to allow apache access to APF firewall. Without this the server will be unable to ban users from the server. Make sure and change hostname to your server hostname or it will not work. Only include the first part of the hostname.
    Example hostname.myhost.com only use hostname.


    Exit out of pico and restart apache '/scripts/restartsrv httpd' or 'service httpd restart'.

    I hope this helps.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Bear in mind that if you do that it could pose a very serious security risk indeed allowing apache to affect iptables directly like that.
     
  9. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    With a '675' server load .. I guess he'll need to try it out anyway ;)
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    True :)

    When thngs start getting that bad, the only effective way to stop a DDOS is to have your network provider block the attempts on the routers - by the time the traffic hits your server it's really too late. That is really their responsibility for the network service they provide to you. If they don't help, go somewhere that does.
     
  11. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    If he managed to control the load by removing attacked domains, I think mod_dosevasive will do the trick ..


    Well, I guess we 'server owners' are just anothor box on the shelf for those data centers as I've tried some well known data centers out there, and it wasn't pleasant at all ;)

    I hope it'll get better one day as everything else does :)
     
  12. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    What is the serious risk about ?
    Using mod_dosevasive or add nobody HOSTNAME = NOPASSWD: /usr/local/sbin/apf -d * at httpd.conf ?

    Thanks.
     
  13. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Allowing apache to affect iptables directly By Adding 'nobody HOSTNAME = NOPASSWD: /usr/local/sbin/apf -d *' using 'visudo' ... 'not to httpd.conf as you've mentioned'
     
  14. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    So you mean that i have to delete :

    DOSSystemCommand "sudo /usr/local/sbin/apf -d %s" from httpd.conf

    and

    nobody HOSTNAME = NOPASSWD: /usr/local/sbin/apf -d * from visudo

    :confused:

    Thanks
     
  15. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Not at all :) .. we were discussing it out, as it totaly depends on your situation .. If you were facing a sever situation as 'jeroman8', I would recommend using it .. but If all things are normal, it's better to count on mod_dosevasive internal 'temporary' blocking mechanism.
     
  16. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    So if all thing are normal for my server, i must remove apf thing from mod_dosevasive ?
     
  17. Compubuster

    Compubuster Well-Known Member

    Joined:
    Mar 31, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    It's better not to allow apache affect iptables directly .. so, Yes, if all goes normal, It's better to remove 'apf' from mod_dosevasive and from visudo also.
     
  18. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Hi guys and thanks for all help.

    dosevasive did not help.
    I see a lot of dos..... i TMP catalog but it didn't help the load.
    The 2 accounts is removed and server ok.

    I read about the worm being out in jan and feb.
    Can this maybe be such a thing ?

    I get xoxoxo and **** you as user agents in logs.

    Why should it be security risk letting apache block IP's ?
    I don't think it will work though since the IP's change all the time
    so it would end up blocking a lot of ip's - but new ones coming all the time.

    Servermatrix saw some "crazy" traffic but couldn't help much.
    They gave the tip on lower the apache timeout value.

    I've done that now but the 2 accounst was already removed so..
     
Loading...

Share This Page