|
Hardware and Software Discuss hardware, software and security related stuff |
|
Thread Tools | Search this Thread | Display Modes |
#1
|
||
|
Apache being attack - ASAP
I run my buisiness website from my home, and yesterday i got over 10,000 hits on it - all illegitamate traffic.
As soon as i start apache up on the server my bandwidth starts getting eaten up. How in the heck do I fix this? Is this something in the ipchain's i can specifiy so people can't use GET things like that to bog down my server? Screens: Please help asap... Thanks in advance to anyone who helps, this place is always great - and thank you panther since im sure your probably the first one to respond
__________________
- My: Drawings, rants, raves, my cat, designs, and everything else i want to put on the net. Free Teamspeak servers: http://gamersnetwork.us/ |
#2
|
||
|
Do you have any physical security devices? i.e. Firewalls ?
Edit: Which version of Apache do you have? And which patches are installed on it? Edit # 2: Oh and which OS you running Apache HTTP on? Last edited by DevilDog#1; 01-29-2006 at 11:40 AM. |
#3
|
||
|
Mandrake 9.2
The apache that comes with it [2.x] Firewalled router only has port 80 open tot hat... Right now I've moved it over to a different box, CentOS 4, SELinux, Firewalled hardware + software, apache hardened, and looks like its stopped.
__________________
- My: Drawings, rants, raves, my cat, designs, and everything else i want to put on the net. Free Teamspeak servers: http://gamersnetwork.us/ |
#5
|
||
|
Although it's annoying there is not much you can do about it as they do look like legit requests, even though they are not.
I can only think of two things, block each and every IP that it comes from (will take awhile) or you can look into an apache mod called MOD Security. I've never used it but there are alot of things you can do with it to protect yourself. To help build of list of IP's to ban easier there is a script called LogWatch (I think that's what it is) and it will tally each entry in the log and give you the IP addy plus how many times it made a connection. Make sure you look up each IP before you ban it though (http://www.dnsstuff.com) to make sure your not banning anyone trying to do business. IPChains (IP Tables?) may have something in it, but I am not very fluent with either since I always used a seperate program for simplicity.
__________________
04' Dodge SRT-4, Mopar Stage 3, 406whp/436wtq |
#6
|
||
|
Oh and when you findout what fixed it eventually let us know too please
|
#7
|
||
|
I will, hardening the new server fixed the major bandwidth issues i was having but im sitll getting those ungodly amounts of requests (which in turn is creating massive log files x.x
-- looking into what P said and going to block them
__________________
- My: Drawings, rants, raves, my cat, designs, and everything else i want to put on the net. Free Teamspeak servers: http://gamersnetwork.us/ |
#8
|
||
|
Maybe one or more sites you hosting have streaming media on it?
|
#9
|
||
|
Im only hosting my one buisiness site - seems like im getting hit by proxies a fck load though
heres some of hte list so far - i need to see if this gets rid of them Code:
:RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A INPUT -s 218.89.53.168 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 12.208.236.118 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 129.240.91.6 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 194.29.137.71 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 195.182.138.206 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 198.104.137.12 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 198.104.137.13 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 198.104.137.14 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 198.104.137.15 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 198.65.144.236 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 200.125.51.54 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 200.125.51.64 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 201.132.37.108 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 201.217.190.80 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 202.201.11.200 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 202.229.212.142 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 136.188.0.29 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 203.136.188.29 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 66.246.252.0/255.255.255.0 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 222.122.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 222.141.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 222.184.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 222.188.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 222.89.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 64.200.20.114 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 66.230.178.26 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 207.46.250.119 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 207.46.130.108 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 213.83.55.1 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 66.28.56.152 -p tcp -m tcp --dport 80 -j DROP -A INPUT -s 82.92.34.5 -p tcp -m tcp --dport 80 -j DROP -A FORWARD -j RH-Firewall-1-INPUT -A OUTPUT -s 130.117.156.231 -p tcp -m tcp --dport 80 -j DROP -A OUTPUT -s 130.117.156.232 -p tcp -m tcp --dport 80 -j DROP -A OUTPUT -s 130.117.156.233 -p tcp -m tcp --dport 80 -j DROP -A OUTPUT -s 130.117.156.234 -p tcp -m tcp --dport 80 -j DROP -A OUTPUT -s 64.200.20.114 -p tcp -m tcp --dport 80 -j DROP -A OUTPUT -s 66.230.178.26 -p tcp -m tcp --dport 80 -j DROP -A OUTPUT -s 213.83.55.1 -p tcp -m tcp --dport 80 -j DROP -A OUTPUT -s 82.92.34.5 -p tcp -m tcp --dport 80 -j DROP
__________________
- My: Drawings, rants, raves, my cat, designs, and everything else i want to put on the net. Free Teamspeak servers: http://gamersnetwork.us/ |
#10
|
||
|
Maybe business is picking up?
|
#11
|
||
|
Well im using iptraf to monitor kbytes out - and it looks like visits/hour is ogne down as well as bandwidth usage, im just watching TCP/IP traffic and blocking any asian IPs i see [221 222 223 etc >.<] or any unusual activity i see going on.
__________________
- My: Drawings, rants, raves, my cat, designs, and everything else i want to put on the net. Free Teamspeak servers: http://gamersnetwork.us/ |
#12
|
||
|
http://www.apnic.net/index.html your friends and thier pictures. (http://www.apnic.net/info/staff/index.html)
|
#13
|
||
|
x.x;
__________________
- My: Drawings, rants, raves, my cat, designs, and everything else i want to put on the net. Free Teamspeak servers: http://gamersnetwork.us/ |
#14
|
|||
|
Quote:
kinda has a the feel of a anonymous proxy providing site /address / server. |
#15
|
|||
|
Quote:
EDIT: I know our squad site had a mysql security issue where it was bogged down by queries till it stoped allowing it, and its seems as if Kirk*MFA* made it stopp (might been his connection with FBI though lol) But we have never had any problem since. Might be a good thing to ask him if he knows a way to prevent this (the server has moved to the inner core of the network though so it might be that). But it might be a good thing to talk to him as he works for a big hosting company that is aimed for profecionall buissness hosting. Can be reached here: http://dfmafia.net/forums Last edited by SilentTrigger; 01-30-2006 at 11:22 AM. |
#16
|
||
|
Thanks Trig I think I will, but right now the problem seems to be fixed. I put up a Hardware firewall, ran ipchains firewall, enabled SE[security enhanced] Linux for CentOS4 and limited port activity to TCP 80, UDP/TCP 1716-1717 (AA server) and bandwidth out is about .4Kbytes a sec which is much better than the 60KB/sec i had on the toher server.
Only problem: Instead of them [the attackers] being able to use my server as a proxy [which they were doing] I'm know getting tons and tons of 404 errors from them Little thing from Webalizer when run: 200 OK : 200 someodd hits 404 Error [lol] : 109,000+ hehehe Whatever i did i think i fixed it except for that minor annoyance.
__________________
- My: Drawings, rants, raves, my cat, designs, and everything else i want to put on the net. Free Teamspeak servers: http://gamersnetwork.us/ |
#17
|
||
|
lmao thats a few 404 errors! Well seems like it was sorted out then! I'm pretty sure you will continue to get them till they realice its not there anymore Which might be a while knowing how stupid some people are hehe
Good thing that you got a Hardware firewall, software is good but a hardware firewall is so much more secure, doesnt matter if its a router or a dedicated firewall, will do a better job then a software either way! Have a hardware myself, aswell as software (can call me a bit paranoied lol, but i like my server and other computers on the network to be secure! the server is rearly online though lol) |
#18
|
||
|
Heh, its upto about 140k 404's now, but it looks like hits are dropping down - im getting about 100 [visits is what webalizer calls them] per hour, its still about 1100 visits per day thoughw hich is a little high.
__________________
- My: Drawings, rants, raves, my cat, designs, and everything else i want to put on the net. Free Teamspeak servers: http://gamersnetwork.us/ |
#19
|
||
|
yeah, well i hope the 404 spamming stops lol
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
help. ASAP! | the Medicâ„¢ | Tech Support | 7 | 08-11-2006 07:31 PM |
Need some Graphics ASAP | Wilson1990 | Sigs and Graphics | 5 | 01-20-2005 02:24 AM |
need help - my friend asap | MikeCoDBHD | Tech Support | 21 | 12-03-2004 02:05 PM |
X300 if you here PM me asap | Hellfighter | General Chat | 2 | 11-13-2004 06:08 PM |