Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Help! My server is being attacked!

[arrty]

Hi guys,
I would really appreciate it if someone helps me solve a mystery. I have a Cobalt Raq3 and have noticed that in the pas one hour i have recieved 10 hits per second from this IP address 24.4.254.195. I don't know what this person is trying to do but he is visiting the same webpage (on my server) a thousand times and counting. Could you please tell me what to do about it and if it is a big danger.

Thanks in advance.

----------
added:
----------
This guy has been loading a webpage from my server for more than an hour now. Please help me block and secure my server from such attacks. I still have no clue as to why he is doing this and what he intends to do.

[webbcite]

Open a telnet session and do the following:

1. /sbin/route add -host 24.4.254.195 reject

This will block the ip from your route table.

2. add the following line to your /etc/hosts.deny file:

ALL: 24.4.254.195

Using these two commands will block the IP from services...unfortunately I don't believe it will block port 80 webserver.

Maybe someone else might have some ideas?

[arrty]

I'll try that.


thanks

[arrty]

webbcite,
I followed your instructions but the http requests are still coming in.

Thanks

Please does any one else have a solution to this. And it is serious?

[Steve33]

That IP resolves to proxy2-external.alntn1.tx.home.com
I would say it is a definite attack.

For now until you get better advice I would simply deny them by adding the following line to the htaccess file in the directory of the page they are requesting:
Deny from 24.4.254.195
It wont stop requests being made to the server but at least it wont hog the bandwidth because they will get a permission denied error instead of the page.

Then I would take a sample of the requests from the log file and send them to your hosting company and abuse@home.com

[Palm]

Check this out and also check the abuse e-mail:

http://www1.dshield.org/ipinfo.php?i...&Submit=Submit

[arrty]

I added this line to .htacces but does'nt block it
Deny from 24.4.254.195

is it supposed to be exactly like this?

[Steve33]

Quote:

Originally posted by arrty
I added this line to .htacces but does'nt block it
Deny from 24.4.254.195

is it supposed to be exactly like this?

How do you know its not getting blocked? If its working you should get something like "client denied by server configuration"
in your logs.

If its not working did you just create the .htaccess file or was one already there? If you just created it make sure its named .htaccess not htaccess

You should have something like this:

<Limit GET POST>
order allow,deny
deny from 24.4.254.195
allow from all
</Limit>

[arrty]

Quote:

<Limit GET POST>
order allow,deny
deny from 24.4.254.195
allow from all
</Limit>

This does'nt work either

I have HumanClick monitor installed on each page so I can see in realtime who is at my website and which page.

[davidb]

check pm,

[arrty]

This guy is getting on my nerve now. He is going to use up all my bandwith. I need to block him asap.

please can someone tell me how to block the IP
24.4.254.195
Host: proxy2-external.alntn1.tx.home.com

[RackMy.com]

You should use ipfwadm. I am not sure the exact command, but that should do it for you and allow you to block that IP.

Hope that helps!

[bert]

arrty,

If you have not yet been able to block it, create your htaccess file like this:

# Access file
order allow,deny
Deny from XX.XX.XX.XX <<<<<<<<<<<<<<<< HIS IP HERE
allow from all

Make sure you save it as ".htaccess"

Also, if you entered the ip in the /etc/hosts.deny file, I think you will have to reboot the server for the changes to take effect. I am not sure though, but it might be worth rebooting.

Good luck

[NyteOwl]

A call to HOME.COM's support/service/abuse number would be a good idea too. They get hurt by people like this too and if s/he is doing it to you chances are they're doing it to others. HOME.COM can likely check their logs and close the user account.

[arrty]

Thanks All,
You guys have been of great help. The problem is solved now and the requests stopped coming from this IP by itself. But the knowledge I have gained here will definately help me the next time such a problem occurs.