Results 1 to 22 of 22
Thread: Getting attacked constantly....
-
05-08-2006, 05:00 PM #1Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
Getting attacked constantly....
Hello,
My box is getting attacked, and crashing the httpd constantly. I contacted my provider and they told me it was ddos attacks. So, I installed several security features from a topic I found here on WHT, including the apf firewall. As soon as I got done with that, my server httpd starts to go down again. I restarted httpd and it is now back up.
I know who the person that is doing this is, as he keeps sending me messages taunting me. I ban his IP everytime on one of my sites, but he just comes back with a different one. How can I stop this?
Regards,
Kyle
-
05-08-2006, 05:22 PM #2Disabled
- Join Date
- Oct 2005
- Posts
- 515
What version of Apache are you running? Have you installed and configured mod_evasive for Apache? http://www.nuclearelephant.com/projects/mod_evasive/
-
05-08-2006, 05:40 PM #3Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
I am running Apache 1.3.34 (Unix) . To my knowledge, this program is not installed on my box. Do you know of any tutorials that will show how to install this successfully? Sorry, I am very new at managing these servers.
Kyle
-
05-08-2006, 06:14 PM #4Disabled
- Join Date
- Oct 2005
- Posts
- 515
Sure, make sure you have APXS support compiled with Apache before installing, otherwise it won't install:
Code:wget http://www.nuclearelephant.com/proje..._1.10.1.tar.gz tar -zxf mod_evasive_1.10.1.tar.gz cd mod_evasive /usr/local/apache/bin/apxs -cia mod_evasive.c
Add the following to your httpd.conf under AddModule mod_evasive.c
Code:<IfModule mod_evasive.c> DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 100 DOSPageInterval 2 DOSSiteInterval 2 DOSBlockingPeriod 600 </IfModule>
Last edited by FirmbIT; 05-08-2006 at 06:21 PM.
-
05-08-2006, 06:21 PM #5Web Hosting Master
- Join Date
- Sep 2005
- Location
- Albany, NY
- Posts
- 3,956
http://forums.deftechgroup.com/showthread.php?t=825
Just follow that and it'll take care of your DDOS without any problems.AYKsolutions.com - High Bandwidth Specialists - 10Gbps/20Gbps+ Unmetered & DDOS Protected
Over 20+ Global Locations - Asia (Hong Kong, Singapore, Tokyo), Mexico, Brazil, India, Australia, US, CA, EU - Bare Metal and Virtual Cloud. All Managed.
We are Professional. Painless. Polite.
-
05-08-2006, 06:28 PM #6Web Hosting Guru
- Join Date
- Dec 2003
- Location
- Pakistan
- Posts
- 278
I am also facing the similar problem, you can see my thread at : http://www.webhostingtalk.com/showthread.php?t=510980
-
05-08-2006, 06:32 PM #7Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
Thanks for that info.
@FirmBIT
Where can I find my httpd.conf file? Thanks.
-
05-08-2006, 06:33 PM #8Disabled
- Join Date
- Oct 2005
- Posts
- 515
whereis httpd.conf
If your path to Apache is /usr/local/apache then it is most likely at /usr/local/apache/conf/httpd.conf
-
05-08-2006, 06:42 PM #9Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
Thanks.
Got that going now.
Kyle
-
05-08-2006, 06:46 PM #10Disabled
- Join Date
- Oct 2005
- Posts
- 515
Great. Let me know if it fixes your issue.
-
05-08-2006, 07:41 PM #11Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
Just got hit again.
I ran the command at the point of the attack:
netstat -alpn | grep :80 | wc -l
Was getting nearly 1000 connections.
I continually restarted the httpd until it has now returned back to normal, 46 connections. I have brute force protection installed on my server and am getting emails around the time of attack from it:
The remote system 70.232.146.73 was found to have exceeded acceptable login failures on server1.websolvents.com; there was 46 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.
Executed ban command:
/etc/apf/apf -d 70.232.146.73 {bfd.sshd}
The following are event logs from 70.232.146.73 on service sshd (all time stamps are GMT -0400):
May 8 17:29:49 server1 sshd[10320]: Did not receive identification string from 70.232.146.73
May 8 17:29:49 server1 sshd[10321]: Did not receive identification string from 70.232.146.73
May 8 19:01:43 server1 sshd[19265]: Illegal user test from 70.232.146.73
May 8 19:01:45 server1 sshd[19270]: Illegal user test from 70.232.146.73
May 8 19:01:45 server1 sshd[19265]: Failed password for illegal user test from 70.232.146.73 port 54291 ssh2
May 8 19:01:47 server1 sshd[19279]: Illegal user test from 70.232.146.73
May 8 19:01:47 server1 sshd[19270]: Failed password for illegal user test from 70.232.146.73 port 54314 ssh2
May 8 19:01:49 server1 sshd[19279]: Failed password for illegal user test from 70.232.146.73 port 54406 ssh2
May 8 19:01:50 server1 sshd[19285]: Illegal user test from 70.232.146.73
May 8 19:01:52 server1 sshd[19288]: Illegal user test from 70.232.146.73
May 8 19:01:52 server1 sshd[19285]: Failed password for illegal user test from 70.232.146.73 port 54449 ssh2
May 8 19:01:54 server1 sshd[19288]: Failed password for illegal user test from 70.232.146.73 port 54489 ssh2
May 8 19:01:54 server1 sshd[19297]: Illegal user test from 70.232.146.73
May 8 19:01:56 server1 sshd[19300]: Illegal user test from 70.232.146.73
May 8 19:01:57 server1 sshd[19297]: Failed password for illegal user test from 70.232.146.73 port 54540 ssh2
May 8 19:01:58 server1 sshd[19300]: Failed password for illegal user test from 70.232.146.73 port 54577 ssh2
May 8 19:01:59 server1 sshd[19306]: Illegal user test from 70.232.146.73
May 8 19:02:00 server1 sshd[19313]: Illegal user test from 70.232.146.73
May 8 19:02:01 server1 sshd[19306]: Failed password for illegal user test from 70.232.146.73 port 54641 ssh2
May 8 19:02:02 server1 sshd[19313]: Failed password for illegal user test from 70.232.146.73 port 54675 ssh2
May 8 19:02:04 server1 sshd[19328]: Illegal user test from 70.232.146.73
May 8 19:02:06 server1 sshd[19334]: Illegal user test from 70.232.146.73
May 8 19:02:06 server1 sshd[19328]: Failed password for illegal user test from 70.232.146.73 port 54780 ssh2
May 8 19:02:08 server1 sshd[19341]: Illegal user test from 70.232.146.73
May 8 19:02:08 server1 sshd[19334]: Failed password for illegal user test from 70.232.146.73 port 54748 ssh2
May 8 19:02:11 server1 sshd[19341]: Failed password for illegal user test from 70.232.146.73 port 54869 ssh2
May 8 19:02:13 server1 sshd[19356]: Illegal user test from 70.232.146.73
May 8 19:02:15 server1 sshd[19356]: Failed password for illegal user test from 70.232.146.73 port 54977 ssh2
May 8 19:02:18 server1 sshd[19370]: Illegal user test from 70.232.146.73
May 8 19:02:20 server1 sshd[19370]: Failed password for illegal user test from 70.232.146.73 port 55078 ssh2
May 8 19:02:22 server1 sshd[19384]: Illegal user test from 70.232.146.73
May 8 19:02:25 server1 sshd[19384]: Failed password for illegal user test from 70.232.146.73 port 55181 ssh2
May 8 19:02:27 server1 sshd[19392]: Illegal user test from 70.232.146.73
May 8 19:02:29 server1 sshd[19392]: Failed password for illegal user test from 70.232.146.73 port 55269 ssh2
May 8 19:02:31 server1 sshd[19398]: Illegal user test from 70.232.146.73
May 8 19:02:34 server1 sshd[19398]: Failed password for illegal user test from 70.232.146.73 port 55379 ssh2
May 8 19:02:36 server1 sshd[19410]: Illegal user test from 70.232.146.73
May 8 19:02:39 server1 sshd[19410]: Failed password for illegal user test from 70.232.146.73 port 55474 ssh2
May 8 19:02:44 server1 sshd[19440]: Illegal user test from 70.232.146.73
May 8 19:02:46 server1 sshd[19440]: Failed password for illegal user test from 70.232.146.73 port 55585 ssh2
May 8 19:02:48 server1 sshd[19478]: Illegal user test from 70.232.146.73
May 8 19:02:50 server1 sshd[19478]: Failed password for illegal user test from 70.232.146.73 port 55750 ssh2
May 8 19:02:53 server1 sshd[19480]: Illegal user tester from 70.232.146.73
May 8 19:02:55 server1 sshd[19480]: Failed password for illegal user tester from 70.232.146.73 port 55845 ssh2
May 8 19:02:57 server1 sshd[19482]: Illegal user tester from 70.232.146.73
May 8 19:02:59 server1 sshd[19482]: Failed password for illegal user tester from 70.232.146.73 port 55939 ssh2
May 8 19:03:01 server1 sshd[19484]: Illegal user tester from 70.232.146.73
May 8 19:03:04 server1 sshd[19484]: Failed password for illegal user tester from 70.232.146.73 port 56034 ssh2
I don't know what else I can do. Help please.
KyleLast edited by xxkylexx; 05-08-2006 at 07:46 PM.
-
05-08-2006, 07:46 PM #12Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
Getting hit again at the moment. 904 connections.
-
05-08-2006, 07:55 PM #13Web Hosting Master
- Join Date
- May 2003
- Location
- Florida
- Posts
- 902
Originally Posted by ayksolutions
-
05-08-2006, 08:09 PM #14Disabled
- Join Date
- Oct 2005
- Posts
- 515
Just to confirm, you did restart apache after mod_evasive was installed?
/usr/local/apache/bin/apachectl restart
-
05-08-2006, 08:09 PM #15Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
I have mod_evasive installed before this attack. I'll look at that one.
*Edit* @Firm...
No i diddnt. Just restarted it now.
-
05-08-2006, 08:14 PM #16Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
Just installed (D)DoS Deflate Version 0.6. We'll see how that works.
-
05-08-2006, 08:27 PM #17Web Hosting Master
- Join Date
- Sep 2005
- Location
- Albany, NY
- Posts
- 3,956
It should do the job. Have it output the IPs blocked to a log file so you know who it is. Also, set the connection limit to 75 or so.
AYKsolutions.com - High Bandwidth Specialists - 10Gbps/20Gbps+ Unmetered & DDOS Protected
Over 20+ Global Locations - Asia (Hong Kong, Singapore, Tokyo), Mexico, Brazil, India, Australia, US, CA, EU - Bare Metal and Virtual Cloud. All Managed.
We are Professional. Painless. Polite.
-
05-08-2006, 08:42 PM #18Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
I have it configed as follows:
--------------------
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=75
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="xxrazxx@gmail.com"
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=6000
---------------------------------------
Thanks again.
-
05-08-2006, 11:30 PM #19Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
Got everything sorted now. Just wondering though-- are any of these scripts going to block out any of my legit traffic, by chance?
Regards,
Kyle
-
05-09-2006, 06:28 AM #20Web Hosting Master
- Join Date
- May 2003
- Location
- Florida
- Posts
- 902
You might want to watch the (D)DoS Deflate. If you set it too low, it will temporarily block legit traffice. If that happens, you can just increase the NO_OF_CONNECTIONS value. You have it emailing you a report, so you will know when it blocks an IP.
-
05-09-2006, 09:08 AM #21WHT Addict
- Join Date
- Nov 2005
- Posts
- 100
yea when I had it set at 75, it would block my ip whenever I visited an awstats page so I had to up it. Said I had 91 connections during that time.
-
05-09-2006, 10:41 PM #22Web Hosting Evangelist
- Join Date
- Apr 2006
- Location
- Jacksonville, FL
- Posts
- 511
I'll keep it on 75 for a while and bump it up to 150 when things settle down.
Thanks all.