Results 1 to 22 of 22
-
09-01-2014, 01:53 PM #1Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
Getting low volume DDOS or Bruteforce
Hello guys,
It's me again.
My vps is kind of getting ddos or bruteforce attacks.
I am not sure what I am getting but I am getting something, since my cpu usage is getting higher everyday.
I am running nginx phpfpm varnish and mariadb on debian.
I am using configserver as firewall.
Here are my stats
Configserver blocks udp from various ip addresses.
How can I be sure what I am getting? Has any of you experienced configserver before?
When I view vnc console view from digitalocean I see live firewall stats, but can't view when logged from ssh.
Cpu is relatively high on php-fpm does that mean I am getting bruteforced (wordpress login page)
I am new to linux, I am looking forward to hear what you say, so that I can dig deeper into this issue.
-
09-01-2014, 02:04 PM #2
I wouldn't call it DDOS, check: http://en.wikipedia.org/wiki/Denial-of-service_attack.
Have a look at access log. Look for anything unusual, like high number of request/IP. Our customers tend to have similar problems because of bots trying to abuse their Wordpress sites.Clouvider Limited; Leading USA & Europe Cloud Hosting Solution Provider
Web hosting in Cloud | VPS servers in 8 Datacenters with Intel Xeon and AMD Epyc CPUs | Private Cloud | Dedicated Servers | Colocation | Managed Services
100% Uptime Guarantee | Fully Redundant | 24/7 Technical Support
-
09-01-2014, 02:14 PM #3Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
would renaming wp-login.php to wp-something.php solve the issue temporarily?
-
09-01-2014, 02:15 PM #4
Yes, but it would also prevent you and visitors from logging in. Try to block attackers on firewall instead.
Clouvider Limited; Leading USA & Europe Cloud Hosting Solution Provider
Web hosting in Cloud | VPS servers in 8 Datacenters with Intel Xeon and AMD Epyc CPUs | Private Cloud | Dedicated Servers | Colocation | Managed Services
100% Uptime Guarantee | Fully Redundant | 24/7 Technical Support
-
09-01-2014, 02:27 PM #5Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
I found this http://forum.configserver.com/viewtopic.php?t=6235
but it's apache oriented.
wordpress should have something built-in, it should offer us custom login url during installation, I know some plugins fake that, but theyre not dependable at the moment.
-
09-01-2014, 02:29 PM #6
There are pros and cons of using nginx unfortunately. It is not for everything and not for everyone.
Clouvider Limited; Leading USA & Europe Cloud Hosting Solution Provider
Web hosting in Cloud | VPS servers in 8 Datacenters with Intel Xeon and AMD Epyc CPUs | Private Cloud | Dedicated Servers | Colocation | Managed Services
100% Uptime Guarantee | Fully Redundant | 24/7 Technical Support
-
09-01-2014, 03:18 PM #7Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
I renamed all wp-login but the cpu usage is still high.
when somebody tries to connect wp-admin or wp-login.php they get 404 error (as expected)
as I told cpu usage did not drop, what can cause high cpu (php-fpm) usage? how can I identify it?
-
09-01-2014, 03:43 PM #8Web Hosting Master
- Join Date
- May 2011
- Location
- /root
- Posts
- 630
The stats do not show that its a DDOS. Did you check the domain's access logs to see what scripts are being hit the most? Are there indeed hits for wp-login.php ? It may also be one of your plugins causing high php usage. Do you have any cache plugins implemented or any php cache plugins?
|| Tecsys Solutions LLC | Outperforming the Performers!! ||
|| Outsourced Server Management and Technical Support Solutions ||
|| Now Offering Secure Managed VPS and Dedicated Servers specially setup for Hosting Providers ||
|| https://www.24x7TechnicalSupport.net || https://www.mxv.net ||
-
09-01-2014, 03:45 PM #9Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
127.0.0.1 - - [01/Sep/2014:22:23:06 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:07 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:08 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
127.0.0.1 - - [01/Sep/2014:22:23:09 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:09 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:10 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:10 +0300] "POST /xmlrpc.php HTTP/1.1" 200 230 "-" "-"
127.0.0.1 - - [01/Sep/2014:22:23:11 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:11 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:11 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
127.0.0.1 - - [01/Sep/2014:22:23:12 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:13 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:13 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:13 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
127.0.0.1 - - [01/Sep/2014:22:23:13 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:14 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:14 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.1" 200 412 "-" "-"
127.0.0.1 - - [01/Sep/2014:22:23:15 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:16 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
127.0.0.1 - - [01/Sep/2014:22:23:16 +0300] "POST /xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
I use APC and Varnish. W3 Total Cache as plugin.
-
09-01-2014, 03:48 PM #10Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
maybe this is what I am getting? Wordpress xmlrpc ddos attack? lol?
https://isc.sans.edu/forums/diary/Wo...+Attacks/17801
-
09-01-2014, 03:50 PM #11Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
it seems abuser try to use your wordpress to make ddos attacks, the attack called XML-RPC attacks and use XML-RPC bug to make attack to victim. if you using latest WP update it fixed but better to disbale XML-RPC in WP.
-
09-01-2014, 03:52 PM #12Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
ok, now I am giving it a try and lets see what will happen.
By the way nginx access log gives 127.0.0.1 as abuser, because varnish serves requests.
I think to check who the attacker is I should read varnish access logs.
I will keep this post updated.
-
09-01-2014, 03:53 PM #13Web Hosting Master
- Join Date
- Dec 2005
- Posts
- 3,110
You can use the location configuration option in nginx to temporarily block access to files which are being targeted, and whitelist specific IPs. This will block the activity before it reaches PHP and help get things under control.
e.g. add this to your server{} section.
Code:location ~ ^/(xmlrpc\.php) { allow yourip; deny all; }
-
09-01-2014, 03:58 PM #14Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
here's the mofo from varnish access log
Code:195.154.126.240 - - [01/Sep/2014:22:54:43 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [01/Sep/2014:22:54:43 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [01/Sep/2014:22:54:44 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.126.240 - - [01/Sep/2014:22:54:45 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [01/Sep/2014:22:54:45 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.105.219 - - [01/Sep/2014:22:54:48 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 195.154.126.240 - - [01/Sep/2014:22:54:49 +0300] "POST http://178.62.153.4/xmlrpc.php HTTP/1.0" 301 184 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
-
09-01-2014, 04:32 PM #15Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
Your code worked, thank you very much and thanks to all who helped me figuring out what's going on.
btw: wordpress xmlrpc disable xmlrpc plugin didn't do anything good https://wordpress.org/plugins/disable-xml-rpc-pingback/
-
09-01-2014, 05:25 PM #16Web Hosting Master
- Join Date
- Dec 2005
- Posts
- 3,110
-
09-02-2014, 12:48 AM #17Web Hosting Master
- Join Date
- Dec 2011
- Location
- Netherlands
- Posts
- 979
-
09-05-2014, 11:57 AM #18Newbie
- Join Date
- Mar 2013
- Posts
- 8
It should work well.
-
09-05-2014, 04:16 PM #19Newbie
- Join Date
- Oct 2012
- Posts
- 21
Have you tried cloudflare try it add your domain and put on under attack mode hopefully their ddosing your domain not your direct IP if their attacking your domain it should be easier to stop.
-
09-05-2014, 04:28 PM #20Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
their actual ddos protection plan starts from $200/month, that's quite expensive.
-
09-05-2014, 04:36 PM #21Newbie
- Join Date
- Oct 2012
- Posts
- 21
Their free package is very good if you have the right configuration in your dns settings which will not allow attackers to find your IP by using revolvers. Their under attack mode can only be bypassed by a limited people, but the free package should protect this user from most attacks.
-
09-05-2014, 05:50 PM #22Web Hosting Guru
- Join Date
- May 2014
- Location
- Turkey
- Posts
- 261
I use ssl, therefore it's not impossible to hide ip with cloudflare basic/free plan.
Similar Threads
-
looking for a low volume, low latency shared host
By ForestForTrees in forum Web HostingReplies: 10Last Post: 10-25-2011, 11:44 PM -
how to protect my vps from ddos and bruteforce attacks?
By Ishee in forum Hosting Security and TechnologyReplies: 4Last Post: 02-13-2011, 02:25 PM -
Mic volume really low...
By Hastings in forum Computers and PeripheralsReplies: 6Last Post: 08-09-2007, 08:17 AM -
low volume name registration
By debtman7 in forum Domain NamesReplies: 6Last Post: 07-26-2005, 04:59 PM -
Best low-volume CC solution?
By theNonsuch in forum Running a Web Hosting BusinessReplies: 40Last Post: 08-02-2002, 10:30 PM