Results 1 to 22 of 22
  1. #1
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511

    Getting attacked constantly....

    Hello,

    My box is getting attacked, and crashing the httpd constantly. I contacted my provider and they told me it was ddos attacks. So, I installed several security features from a topic I found here on WHT, including the apf firewall. As soon as I got done with that, my server httpd starts to go down again. I restarted httpd and it is now back up.

    I know who the person that is doing this is, as he keeps sending me messages taunting me. I ban his IP everytime on one of my sites, but he just comes back with a different one. How can I stop this?


    Regards,
    Kyle

  2. #2
    What version of Apache are you running? Have you installed and configured mod_evasive for Apache? http://www.nuclearelephant.com/projects/mod_evasive/

  3. #3
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    I am running Apache 1.3.34 (Unix) . To my knowledge, this program is not installed on my box. Do you know of any tutorials that will show how to install this successfully? Sorry, I am very new at managing these servers.

    Kyle

  4. #4
    Sure, make sure you have APXS support compiled with Apache before installing, otherwise it won't install:

    Code:
    wget http://www.nuclearelephant.com/proje..._1.10.1.tar.gz
    tar -zxf mod_evasive_1.10.1.tar.gz
    cd mod_evasive
    /usr/local/apache/bin/apxs -cia mod_evasive.c
    Your apache path may differ, do a whereis apache to double check this.

    Add the following to your httpd.conf under AddModule mod_evasive.c

    Code:
    <IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 5
    DOSSiteCount 100
    DOSPageInterval 2
    DOSSiteInterval 2
    DOSBlockingPeriod 600
    </IfModule>
    Last edited by FirmbIT; 05-08-2006 at 06:21 PM.

  5. #5
    Join Date
    Sep 2005
    Location
    Albany, NY
    Posts
    3,956
    http://forums.deftechgroup.com/showthread.php?t=825

    Just follow that and it'll take care of your DDOS without any problems.
    AYKsolutions.com - High Bandwidth Specialists - 10Gbps/20Gbps+ Unmetered & DDOS Protected
    Over 20+ Global Locations - Asia (Hong Kong, Singapore, Tokyo), Mexico, Brazil, India, Australia, US, CA, EU - Bare Metal and Virtual Cloud. All Managed.
    We are Professional. Painless. Polite.

  6. #6
    Join Date
    Dec 2003
    Location
    Pakistan
    Posts
    278
    I am also facing the similar problem, you can see my thread at : http://www.webhostingtalk.com/showthread.php?t=510980

  7. #7
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    Thanks for that info.

    @FirmBIT

    Where can I find my httpd.conf file? Thanks.

  8. #8
    whereis httpd.conf

    If your path to Apache is /usr/local/apache then it is most likely at /usr/local/apache/conf/httpd.conf

  9. #9
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    Thanks.

    Got that going now.


    Kyle

  10. #10
    Great. Let me know if it fixes your issue.

  11. #11
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    Just got hit again.

    I ran the command at the point of the attack:

    netstat -alpn | grep :80 | wc -l


    Was getting nearly 1000 connections.

    I continually restarted the httpd until it has now returned back to normal, 46 connections. I have brute force protection installed on my server and am getting emails around the time of attack from it:

    The remote system 70.232.146.73 was found to have exceeded acceptable login failures on server1.websolvents.com; there was 46 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

    Executed ban command:
    /etc/apf/apf -d 70.232.146.73 {bfd.sshd}

    The following are event logs from 70.232.146.73 on service sshd (all time stamps are GMT -0400):

    May 8 17:29:49 server1 sshd[10320]: Did not receive identification string from 70.232.146.73
    May 8 17:29:49 server1 sshd[10321]: Did not receive identification string from 70.232.146.73
    May 8 19:01:43 server1 sshd[19265]: Illegal user test from 70.232.146.73
    May 8 19:01:45 server1 sshd[19270]: Illegal user test from 70.232.146.73
    May 8 19:01:45 server1 sshd[19265]: Failed password for illegal user test from 70.232.146.73 port 54291 ssh2
    May 8 19:01:47 server1 sshd[19279]: Illegal user test from 70.232.146.73
    May 8 19:01:47 server1 sshd[19270]: Failed password for illegal user test from 70.232.146.73 port 54314 ssh2
    May 8 19:01:49 server1 sshd[19279]: Failed password for illegal user test from 70.232.146.73 port 54406 ssh2
    May 8 19:01:50 server1 sshd[19285]: Illegal user test from 70.232.146.73
    May 8 19:01:52 server1 sshd[19288]: Illegal user test from 70.232.146.73
    May 8 19:01:52 server1 sshd[19285]: Failed password for illegal user test from 70.232.146.73 port 54449 ssh2
    May 8 19:01:54 server1 sshd[19288]: Failed password for illegal user test from 70.232.146.73 port 54489 ssh2
    May 8 19:01:54 server1 sshd[19297]: Illegal user test from 70.232.146.73
    May 8 19:01:56 server1 sshd[19300]: Illegal user test from 70.232.146.73
    May 8 19:01:57 server1 sshd[19297]: Failed password for illegal user test from 70.232.146.73 port 54540 ssh2
    May 8 19:01:58 server1 sshd[19300]: Failed password for illegal user test from 70.232.146.73 port 54577 ssh2
    May 8 19:01:59 server1 sshd[19306]: Illegal user test from 70.232.146.73
    May 8 19:02:00 server1 sshd[19313]: Illegal user test from 70.232.146.73
    May 8 19:02:01 server1 sshd[19306]: Failed password for illegal user test from 70.232.146.73 port 54641 ssh2
    May 8 19:02:02 server1 sshd[19313]: Failed password for illegal user test from 70.232.146.73 port 54675 ssh2
    May 8 19:02:04 server1 sshd[19328]: Illegal user test from 70.232.146.73
    May 8 19:02:06 server1 sshd[19334]: Illegal user test from 70.232.146.73
    May 8 19:02:06 server1 sshd[19328]: Failed password for illegal user test from 70.232.146.73 port 54780 ssh2
    May 8 19:02:08 server1 sshd[19341]: Illegal user test from 70.232.146.73
    May 8 19:02:08 server1 sshd[19334]: Failed password for illegal user test from 70.232.146.73 port 54748 ssh2
    May 8 19:02:11 server1 sshd[19341]: Failed password for illegal user test from 70.232.146.73 port 54869 ssh2
    May 8 19:02:13 server1 sshd[19356]: Illegal user test from 70.232.146.73
    May 8 19:02:15 server1 sshd[19356]: Failed password for illegal user test from 70.232.146.73 port 54977 ssh2
    May 8 19:02:18 server1 sshd[19370]: Illegal user test from 70.232.146.73
    May 8 19:02:20 server1 sshd[19370]: Failed password for illegal user test from 70.232.146.73 port 55078 ssh2
    May 8 19:02:22 server1 sshd[19384]: Illegal user test from 70.232.146.73
    May 8 19:02:25 server1 sshd[19384]: Failed password for illegal user test from 70.232.146.73 port 55181 ssh2
    May 8 19:02:27 server1 sshd[19392]: Illegal user test from 70.232.146.73
    May 8 19:02:29 server1 sshd[19392]: Failed password for illegal user test from 70.232.146.73 port 55269 ssh2
    May 8 19:02:31 server1 sshd[19398]: Illegal user test from 70.232.146.73
    May 8 19:02:34 server1 sshd[19398]: Failed password for illegal user test from 70.232.146.73 port 55379 ssh2
    May 8 19:02:36 server1 sshd[19410]: Illegal user test from 70.232.146.73
    May 8 19:02:39 server1 sshd[19410]: Failed password for illegal user test from 70.232.146.73 port 55474 ssh2
    May 8 19:02:44 server1 sshd[19440]: Illegal user test from 70.232.146.73
    May 8 19:02:46 server1 sshd[19440]: Failed password for illegal user test from 70.232.146.73 port 55585 ssh2
    May 8 19:02:48 server1 sshd[19478]: Illegal user test from 70.232.146.73
    May 8 19:02:50 server1 sshd[19478]: Failed password for illegal user test from 70.232.146.73 port 55750 ssh2
    May 8 19:02:53 server1 sshd[19480]: Illegal user tester from 70.232.146.73
    May 8 19:02:55 server1 sshd[19480]: Failed password for illegal user tester from 70.232.146.73 port 55845 ssh2
    May 8 19:02:57 server1 sshd[19482]: Illegal user tester from 70.232.146.73
    May 8 19:02:59 server1 sshd[19482]: Failed password for illegal user tester from 70.232.146.73 port 55939 ssh2
    May 8 19:03:01 server1 sshd[19484]: Illegal user tester from 70.232.146.73
    May 8 19:03:04 server1 sshd[19484]: Failed password for illegal user tester from 70.232.146.73 port 56034 ssh2


    I don't know what else I can do. Help please.

    Kyle
    Last edited by xxkylexx; 05-08-2006 at 07:46 PM.

  12. #12
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    Getting hit again at the moment. 904 connections.

  13. #13
    Join Date
    May 2003
    Location
    Florida
    Posts
    902
    Quote Originally Posted by ayksolutions
    http://forums.deftechgroup.com/showthread.php?t=825

    Just follow that and it'll take care of your DDOS without any problems.
    This is a nice script that should really help your problem. You can also install mod_evasive.

  14. #14
    Just to confirm, you did restart apache after mod_evasive was installed?

    /usr/local/apache/bin/apachectl restart

  15. #15
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    I have mod_evasive installed before this attack. I'll look at that one.


    *Edit* @Firm...

    No i diddnt. Just restarted it now.

  16. #16
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    Just installed (D)DoS Deflate Version 0.6. We'll see how that works.

  17. #17
    Join Date
    Sep 2005
    Location
    Albany, NY
    Posts
    3,956
    It should do the job. Have it output the IPs blocked to a log file so you know who it is. Also, set the connection limit to 75 or so.
    AYKsolutions.com - High Bandwidth Specialists - 10Gbps/20Gbps+ Unmetered & DDOS Protected
    Over 20+ Global Locations - Asia (Hong Kong, Singapore, Tokyo), Mexico, Brazil, India, Australia, US, CA, EU - Bare Metal and Virtual Cloud. All Managed.
    We are Professional. Painless. Polite.

  18. #18
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    I have it configed as follows:




    --------------------





    ##### frequency in minutes for running the script
    ##### Caution: Every time this setting is changed, run the script with --cron
    ##### option so that the new frequency takes effect
    FREQ=1

    ##### How many connections define a bad IP? Indicate that below.
    NO_OF_CONNECTIONS=75

    ##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
    ##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
    APF_BAN=1

    ##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
    ##### KILL=1 (Recommended setting)
    KILL=1

    ##### An email is sent to the following address when an IP is banned.
    ##### Blank would suppress sending of mails
    EMAIL_TO="xxrazxx@gmail.com"

    ##### Number of seconds the banned ip should remain in blacklist.
    BAN_PERIOD=6000


    ---------------------------------------



    Thanks again.

  19. #19
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    Got everything sorted now. Just wondering though-- are any of these scripts going to block out any of my legit traffic, by chance?


    Regards,
    Kyle

  20. #20
    Join Date
    May 2003
    Location
    Florida
    Posts
    902
    You might want to watch the (D)DoS Deflate. If you set it too low, it will temporarily block legit traffice. If that happens, you can just increase the NO_OF_CONNECTIONS value. You have it emailing you a report, so you will know when it blocks an IP.

  21. #21
    yea when I had it set at 75, it would block my ip whenever I visited an awstats page so I had to up it. Said I had 91 connections during that time.

  22. #22
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    511
    I'll keep it on 75 for a while and bump it up to 150 when things settle down.

    Thanks all.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •