Hello, I'm new here
I'm looking for a piece of advice what I can do because finally after 20+ hours I give up.
My resources are constantly at 20%CPU and 70-99% Resources(RAM)
I'm using this command to see which IP has many connections
netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut -d: -f1 | sort -n| uniq -c | sort -n | tail -5
Ok here a "few" :
16 117.9.163.164
16 222.89.61.14
17 118.26.182.153
30 220.136.69.91
37 222.89.217.240
ALL CHINESE IP's
So you might think simply ban them.. I did ! But I can ban IP's for 30+ min straight and it won't end.
Ok here are the steps I've done:
Installed
AFP (Great Firewall using iptables) + AntiDos active
DDoS Deflate (To ban people with more than 10 connections)
Mod_evasive (stopping too many page requests)
Mod_GEOIP (to ban chinese IP's)
Mod_security (using GotRoot Rules)
Mod_limitipconnect (Limiting IP's to one connection/user)
Ok one example I want to ban IP's with more than 10 connections (all chinese) with DDOS Deflate:
I'll use /path/to/ddos/ddos.sh -k 10
Here's the log
apf(17701): (trust) added deny all to/from 59.61.27.57
apf(17841): (trust) added deny all to/from 219.137.113.202
apf(18140): (trust) added deny all to/from 61.57.106.117
apf(18266): (trust) added deny all to/from 218.79.153.124
apf(18396): (trust) added deny all to/from 58.247.247.78
iptables: Resource temporarily unavailable
apf(19520): (trust) added deny all to/from 125.34.16.100
iptables: Resource temporarily unavailable
apf(19693): (trust) added deny all to/from 61.64.19.42
apf(19795): (trust) added deny all to/from 60.9.18.51
apf(19908): (trust) added deny all to/from 58.40.104.243
iptables: Resource temporarily unavailable
apf(20078): (trust) added deny all to/from 221.235.63.155
apf(20193): (trust) added deny all to/from 221.197.202.233
apf(20303): (trust) added deny all to/from 219.77.25.108
apf(20425): (trust) added deny all to/from 211.161.7.123
apf(21557): (trust) added deny all to/from 117.9.26.222
apf(21694): (trust) added deny all to/from 61.231.23.111
apf(21870): (trust) added deny all to/from 222.76.30.193
apf(21999): (trust) added deny all to/from 221.225.141.79
apf(22120): (trust) added deny all to/from 219.157.150.90
apf(22243): (trust) added deny all to/from 218.87.62.86
apf(22407): (trust) added deny all to/from 203.204.186.120
apf(23558): (trust) added deny all to/from 118.232.200.103
apf(23664): (trust) added deny all to/from 117.13.177.123
iptables: Resource temporarily unavailable
apf(23806): (trust) added deny all to/from 221.216.104.190
apf(23952): (trust) added deny all to/from 124.114.109.233
apf(24040): (trust) added deny all to/from 123.195.29.61
apf(24135): (trust) added deny all to/from 61.171.196.138
apf(24239): (trust) added deny all to/from 221.212.66.102
iptables: Resource temporarily unavailable
apf(24310): (trust) added deny all to/from 219.159.146.33
apf(24441): (trust) added deny all to/from 124.64.242.39
apf(24556): (trust) added deny all to/from 123.8.27.211
apf(25669): (trust) added deny all to/from 121.235.252.166
apf(25844): (trust) added deny all to/from 218.81.55.195
Ok great banned some ip's (note iptables unavailabe but I have apf ban active).
I can do this for 100+ times and there are still IP's with more than 10 connections. Maybe I should change ddos-config to iptables ban but heck I can't add 500+ ip to iptables because the servload will dramatically increase.
PS FAUX (around 50 nobody processes eating up 0,1 RAM)
nobody 5575 0.0 0.1 37356 10376 ? S 06:54 0:00 \_ /usr/local/ap
Please note that I'm a linux server newbie but the modules are all correctly setup except maybe limitipconnect.
If anyone can help me that would be awesome. I can't think of any other way how to fix it and I have no clue why they are ddosing my server. The hosting staff said they are also brute forcing cpanel but "\_ /usr/local/ap" doesn't look like cpanel to me.
Yesterday they might have tried that because I saw something like apache -dssl.
Thanks,
Oliver
Linear Mode
