Void's Forums

[Doogee]

A friend of mine recently spoke to a person who told them they were makign a script to connect to my server and make like 500 requests in 30 seconds.


As far as i understand this could oops up my server pretty bad, especially seeing the server is only on a 512/128 connection (i think the guy who plans to do it is on the same)

Basically i need to know what i can do in the httpd.conf to stop this, or limit it to a point. I have changeed my maxrequests keepalive to "35" but im sure there is more i can do.

Unfortunately i have no firewall (except my router but its open on the webserver port, obviously) so i need to limit this through httpd.conf.



Please its pretty urgent, has anyone got ideas?

[Void Main]

You should have iptables installed in which case you can block his IP address. In fact you can can block IP addresses right in the Apache config but I prefer blocking with iptables though and prevent them from connecting to any port on my machine if they are butt heads. I do believe I have seen connection limit configurations for Apache but I don't know them off the top of my head. I'll do some searching this evening if you haven't found it.

[Doogee]

He has a dynamic ip. And also i havent even found out what is ip is yet,

[Void Main]

Look in your logs. The default log for Apache would be /var/log/httpd/access_log. Use cat, grep, cut, sort -u, wc -l, etc, to determine who is hitting you hard and block them. You can block his whole range of IP addresses. I'm still not home so I'll check later to see if I can find anything more..

[Doogee]

thanks alot

[Void Main]

I came up empty on any other ideas. Yep, I would just block his IP range. Better yet, send him an email virus as he sounds like a Windows user. Then he can annoy everyone instead of just you. :)

Here are a couple of scripts I wrote to block and unblock IP addresses:

block:

Code: Select all

#!/bin/bash
if [ $# -ne 1 ]; then
  echo "Syntax: `basename $0` <ipaddress>"
  exit
fi
if /sbin/iptables -L -n | grep -q $1; then
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - previously blocked"
else
  /sbin/iptables -A INPUT -s $1 -i eth1 -j DROP
  /sbin/iptables -A OUTPUT -d $1/32 -j DROP
  /sbin/service iptables save > /dev/null 2>&1
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - blocked"
fi


unblock:

Code: Select all

#!/bin/bash
if [ $# -ne 1 ]; then
  echo "Syntax: `basename $0` <ipaddress>"
  exit
fi
if /sbin/iptables -L -n | grep -q $1; then
  /sbin/iptables -D OUTPUT -d $1/32 -j DROP
  /sbin/iptables -D INPUT -s $1 -i eth1 -j DROP
  /sbin/service iptables save > /dev/null 2>&1
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - unblocked"
else
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - was not blocked"
fi


[Master of Reality]

I would suggest limiting requests with IPTABLES. Or you could get something like portsentry which will automatically block IP addresses who try to connect more than a certain limit.

[Void Main]

I think m0r has the secret here. Port sentry was making me mad the other day because I would scp some files from one machine to another and port sentry would the block the machine for some reason.

[Doogee]

I dont think those scripts work on Slackware (no service command)

Could you see what you could do about making a slackware script, pleeease


Also i just saw someone in the logs trying to access a file called default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%thensomerandowgarblehere




It looks very sus, so when i get these blocker scripts going thats on IP that wont be seeing my site anymore

[Void Main]

I dont think those scripts work on Slackware (no service command)

Then modify them so they do work. Instead of using the service command you can use the "iptables-save" command. See the man page.

Could you see what you could do about making a slackware script, pleeease

I thought the reason you guys use for running Slack is so you can learn more about Linux. ;) Really, you should be able to use iptables-save which is really all "service iptables save" does. Of course if you are using a firewall script you must take this into account to load this table on boot up. This method can actually be used in place of a firewall script (that is how Red Hat and many others including myself do it).

Also i just saw someone in the logs trying to access a file called default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%thensomerandowgarblehere

That's a Code Red or Nimda infected machine hitting you. Harmless, but annoying. Search for my Code Red threads. I used the scripts in this thread in combination with a couple of other scripts I whipped up and a couple of Apache rewrite rules to auto-block these addresses.

[Doogee]

yeha, ive never used iptables before