Results 1 to 4 of 4
  1. #1

    boot force attack

    I'm using whm/cpanel control panel.after blocked ip,i see same ip's again attack my server.That cause my server Load Averages: 30.64 36.48 35.89

    How to i resolve this issue.i using ConfigServer Security & Firewall

    Best Regards
    Roman E

  2. #2
    Join Date
    Jun 2003
    World Wide Web
    Attack will be done targeting a domain/IP . If we can track the domain/IP , attack can be stopped.

    Step 1:

    Get Apache status update from command line to see which domain is receiving maximum hits:

    lynx http://localhost/whm-server-status


    httpd fullstatus |more

    Most probably the domain under attack should top the list.

    If you get enough data, then either suspend/terminate that user. You can even change the A record of that domain to loopback address ( if the attack is that severe.

    Step 2:

    Also if you are using CSF firewall,

    Open the CSF configuration file /etc/csf/csf.conf

    In that search for option called CT_LIMIT, by default it will be like CT_LIMIT=0 , change this to CT_LIMIT=60 ,here 60 is the max no.of connections from an IP to your server ( choose this value according to your server usage ) - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  3. #3
    Join Date
    May 2013

    Initially, against what service the attack is going on? If it is against apache and hitting any particular domain hardly, it doesn't come under brute-force attack; it comes under DOS or DDOS based on the severity if attack. Brute-force is normally a "password guess" attack against any encrypted system.

    Ok, now..if you know the source IP address which is hitting hard, the simple solution is to block them in CSF. To do that, login to SSH as root user and run the following commands

    #csf -d <IP>
    #csf -r
    That will add the particular IP address to permanent IP block.

    If the source is a group of IPs, you can use PORTFLOOD , CT_LIMIT , CT_INTERVAL , CT_SKIP_TIME_WAIT settings in csf.conf file. Also it is good to increase the value of DENY_IP_LIMIT in csf.conf. And to mitigate the attack rate, you can also place a reverse proxy ( like nginx or varnish http accelerator ) infront of apache ( there are some plugins available that works with cPanel ). Additionally you have an option to enable mod_qos apache module and integrate it with CSF, which will provide some means to mitigate DDOS attack against your server.

    To know which domain is under attack ( if it is HTTP ), you can look into the apache status page.

    The reason why the blocked IP can connect to the server again will be one of the followings,
    1. Either the IP has been removed from the CSF DENY list due to DENY_IP_LIMIT threshold has been hit.
    2. You have done the block manually using iptables command, which will not persists after CSF rule reload. Use the commands given above to block an IP.
    Last edited by nixtree; 10-03-2013 at 03:26 AM.

  4. #4
    i changed CT_LIMIT=20, but Load Averages: 23.77 21.85 21.00 ,and see more user httpd fullstatus |more ,i suspend some user.

    httpd fullstatus |more result

    Current Time: Thursday, 03-Oct-2013 03:54:01 EDT
    Restart Time: Wednesday, 02-Oct-2013 18:33:15 EDT
    Parent Server Generation: 45
    Server uptime: 9 hours 20 minutes 46 seconds
    Total accesses: 123324 - Total Traffic: 342.2 MB
    CPU Usage: u96.53 s385.16 cu254.66 cs0 - 2.19% CPU load
    3.67 requests/sec - 10.4 kB/second - 2909 B/request
    33 requests currently being processed, 6 idle workers

    My server 1000 domain hosted,

    How to i resolve this issue?

Similar Threads

  1. Brute-Force Attack
    By IPswing-Sarwar in forum Managed Hosting and Services
    Replies: 14
    Last Post: 07-05-2012, 01:20 PM
  2. Brute Force Attack
    By lucky12 in forum Web Hosting
    Replies: 15
    Last Post: 06-03-2012, 10:41 AM
  3. Brute Force Attack
    By turbowarp in forum Hosting Security and Technology
    Replies: 16
    Last Post: 03-19-2008, 03:12 AM
  4. Brute force attack
    By parisdns in forum Dedicated Server
    Replies: 9
    Last Post: 12-20-2004, 03:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts