Results 1 to 9 of 9
  1. #1
    Join Date
    Nov 2004
    Location
    Toronto
    Posts
    161

    * Need advice on type of attack

    Hello,

    Today one of my webserver that was running cpanel with apache was facing high load found an ip was doing http get type of attack, it was around 250connections from it. I was able to stop http and block the ip and then restart which stopped the attack. I had CSF installed too but i think due to very high load on server CSF couldnt do anything, can anyone advice how can i prevent this type of attack before someone makes 10 connections to my server, or there is no other way then getting Anti-DDOS service. Also if the apache tweaked to handle more connection would that suffice?

    I had more than 500 entries in the log like this

    attacker IP - - [04/Aug/2009:12:49:31 -0400] "GET / HTTP/1.1" 200 46830 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)"

    i see that he wasn't even getting a file, if someone knows what this could be, please advice.

  2. #2
    try

    wget http://www.inetbase.com/scripts/ddos/install.sh
    chmod 0700 install.sh
    ./install.sh

    and you need to make changes to the conf to suit your preferences (The default values ban an ip with 150 connections (or more) for 600 seconds and run the script every minute)
    Webgater.CoM - Cheap FullyManged Unmetered VPS , Master Reseller ,
    Reseller and Webhosting.
    Tomer A

  3. #3
    Join Date
    Nov 2004
    Location
    Toronto
    Posts
    161
    thanks webgater network, will try that

    i notice it works with APF for permanant bann, how can i get it work with CSF

    if i use iptables option it will be gone when it get flushed rite.

  4. #4
    Join Date
    Apr 2003
    Location
    Earth
    Posts
    155
    You have connection tracking enabled in CSF? CSF should ban connection if connection tracking is enabled. It seems it has always worked for me.

  5. #5
    Join Date
    Sep 2007
    Posts
    368

    *

    hope any one helps

    1st way
    ______

    iptables -A INPUT -s x.x.x.x -j DROP

    2nd way
    _______

    1) Login into the server via shell access.
    2) Go to the path of CSF firewall. It should be:
    /etc/csf
    3) Edit the file csf.deny.
    vi csf.deny
    4) Add the IP address in the list and save the file to block the IP address.

    3rd way
    _______


    cPanel -> IP Deny Manager only blocks people from visiting the websites on that specific cPanel account. You may want to use the Host Access Control feature in WHM for a broader ban on that IP.

  6. #6
    Join Date
    Nov 2004
    Location
    Toronto
    Posts
    161
    NicAddress

    i just noticed that, it was enabled, i enabled that as well. lets see how this goes. thanks for all your suggestions

  7. #7
    Join Date
    Apr 2003
    Location
    Earth
    Posts
    155
    Good deal.. let us know how it works out.

    You should not be running CSF and APF together.

  8. #8
    Quote Originally Posted by webgater Network View Post
    try

    wget http://www.inetbase.com/scripts/ddos/install.sh
    chmod 0700 install.sh
    ./install.sh

    and you need to make changes to the conf to suit your preferences (The default values ban an ip with 150 connections (or more) for 600 seconds and run the script every minute)

    conf

    pico /usr/local/ddos/ddos.conf

    APF_BAN=1
    [email protected]
    BAN_PERIOD=600 change 600 time You need

    /usr/local/ddos/ddos.sh -c
    iptables -F

    pico /etc/rc.d/rc.local

    ## Add the following lines at the bottom of the file
    /usr/local/ddos/ddos.sh -c

    ConfigServer Firewall

    cd /usr/src
    wget http://www.configserver.com/free/csf.tgz
    tar -xzf csf.tgz
    rm –rf csf.tgz
    cd csf
    sh disable_apf_bfd.sh
    sh install.sh

    log from WHM
    Firewall Configuration
    TESTING = 0
    AUTO_UPDATES = 1

    then

    Firewall Security Level
    Medium
    Webgater.CoM - Cheap FullyManged Unmetered VPS , Master Reseller ,
    Reseller and Webhosting.
    Tomer A

  9. #9
    Join Date
    Apr 2009
    Posts
    839
    don't forget to add more time to temp ban or even make it permanent in csf

Similar Threads

  1. Replies: 16
    Last Post: 06-29-2009, 09:59 PM
  2. Replies: 8
    Last Post: 06-23-2008, 11:09 PM
  3. Help. New Type of Server Attack
    By Collaziano in forum Hosting Security and Technology
    Replies: 15
    Last Post: 01-31-2008, 02:52 PM
  4. very little how-to for terminate current type of syn-flood attack
    By rustelekom in forum Hosting Security and Technology
    Replies: 8
    Last Post: 09-04-2005, 07:31 AM
  5. type of attack
    By bigzur in forum Dedicated Server
    Replies: 2
    Last Post: 11-08-2004, 03:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •