I used to type this command manually to stop ppl attacking my server

netstat -apn|grep :80|awk '{print $5}'|sort

iptables -D INPUT -s x.x.x.x -j DROP

But sometimes the attacker keep doing that all night long, so i keep awake to protect my server from being lag of httpd process.
What should I do ?
I had APF installed, but seems like it's not working for http request on port :80

Hello,

If apf doesn't work with you , reinstall it , there are a new version .

read the readme file ,and configure apf/ad to protect you against syn too .

also http requests depends on your httpd.conf settings,so you have to optimize it .

do you have any instruction/reference how to reinstall apf?

Yes ,

get the new version from : http://rfxnetworks.com/downloads/apf-current.tar.gz

readme:
http://rfxnetworks.com/apf/README

Also read the apf antidos configuration , it may help you
http://rfxnetworks.com/apf/README.antidos

Regards,

thanks for your quick reply.
really appreciate it

i dont find any information to uninstall/reinstall APF.
Can i just overwrite it ?

Using APF with antidos will not protect your server from a apache flood. It will protect you against some or most SYN packets, but it does not work protecting you against apache floods.

so how to protect the server from apache flood ?

Originally posted by thorthor
so how to protect the server from apache flood ?

I work with a few people who get attacked all the time, and get flooded with enough connections to raise the load to 100+ by attacking apache, and the only way I have found is to have the apache logs parsed and block the IP's connecting too many times per second. There are some apache mods out there, but they don't really work too well.

yes, that what i did.
grep the netstat on port :80 and then put the ip in iptables.
sometimes i got lazy so i banned all the ip range (CIDR)
hmmm... any other suggestions ?

Originally posted by thorthor
yes, that what i did.
grep the netstat on port :80 and then put the ip in iptables.
sometimes i got lazy so i banned all the ip range (CIDR)
hmmm... any other suggestions ?

That is really the only thing you can do.

Use BFD from the makers of APF. Take and make a config for it to scan the apache logs for Apache Benchmark, that is a tool that us used a lot to D.o.S. servers. It's main usage it to detect Brute force attacks and will block after so many failed logins, but I am sure you can have it grep the apache logs for things that you think should cause a host to be blocked, Aso I would check out Mod_Security for apache.

search the forums for mod_dosevasive. this is going to help a lot in preventing apache attacks.

bashprompt18,

BFD is something you use to lock people out after they failed to login after so many times. It won't help against DOS/DDOS attacks aimed against the apache webserver.

I have tested mod_dosevasive when we were being flooded and it did not hold up at all. mod_dosevasive will block small attacks but nothing more.

Originally posted by GoogleBot
bashprompt18,

BFD is something you use to lock people out after they failed to login after so many times. It won't help against DOS/DDOS attacks aimed against the apache webserver.

I have tested mod_dosevasive when we were being flooded and it did not hold up at all. mod_dosevasive will block small attacks but nothing more.

BFD will grep the logs looking for the failed attempts, if you look it uses Scripts to do this and you can edit the scripts to look for what ever you want, So you could have BFD look for anything in
the logs. So you could make BFD work for this, Please do look at the scripts it uses to grep the logs and you will find that I am correct.

bashprompt18 !
How to make BFD work for that ? what is that script ?

It seem no way to prevent attacks on port 80 ????

Originally posted by tommyquang
bashprompt18 !
How to make BFD work for that ? what is that script ?

It seem no way to prevent attacks on port 80 ????

Ok, excuse this but it's going to be LONG! in your /usr/local/bfd/rules directory are scripts that are used
to grep the log files and gather the failed atempts from the log
files so it can take action. I will post the on that is for the apache log, not this only looks for failed logins but you can make it look for anything, like Apache benchmark or other typs of attacks
on webservers. I hope this will help someone, it's not an "I told you so message" it's the info you need to understand how this
can help you, no it's not 100% you have to know what attacks you are looking for and what they look like in your logs and that means being attacked first or getting logs from someone that has been attacked.

------------------/usr/local/bfd/rules/apache--------
if [ -f "/var/log/httpd/error_log" ]; then
LP="/var/log/httpd/error_log"
else
LP="/usr/local/apache/logs/error_log"
fi
TLOG_TF="apache"
TRIG="6"


ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w error | grep -w user | grep -iwf $PATTERN_FILE | awk '{print$8":"$10}' | tr -d ']'`

# Example check of multiple apache logs [ensim]
if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then

for dom in `cat /etc/virtualhosting/mappings/domainmap | awk '{print$1}'`; do
if [ -f "/home/virtual/$dom/var/log/httpd/error_log" ]; then
# The TLOG_TF value must be unique for every log file processed
TLOG_TF="apache.$dom"
LP="/home/virtual/$dom/var/log/httpd/error_log"
ARG_VAL2=`/bin/nice -n 16 $TLOGP $LP $TLOG_TF | grep -w error | grep -w user | grep -iwf $PATTERN_FILE | awk '{print$8":"$10}' | tr -d ']'`
fi
done

# Now just merge ARG_VAL and ARG_VAL2 under the variable name ARG_VAL
ARG_VAL=`echo $ARG_VAL $ARG_VAL2`
fi