Apache - Need help stopping possible DoS attack

Doogee · Post by **Doogee** » Mon Feb 02, 2004 2:54 am

A friend of mine recently spoke to a person who told them they were makign a script to connect to my server and make like 500 requests in 30 seconds.

As far as i understand this could oops up my server pretty bad, especially seeing the server is only on a 512/128 connection (i think the guy who plans to do it is on the same)

Basically i need to know what i can do in the httpd.conf to stop this, or limit it to a point. I have changeed my maxrequests keepalive to "35" but im sure there is more i can do.

Unfortunately i have no firewall (except my router but its open on the webserver port, obviously) so i need to limit this through httpd.conf.

Please its pretty urgent, has anyone got ideas?

Void Main · Post by **Void Main** » Mon Feb 02, 2004 12:04 pm

You should have iptables installed in which case you can block his IP address. In fact you can can block IP addresses right in the Apache config but I prefer blocking with iptables though and prevent them from connecting to any port on my machine if they are butt heads. I do believe I have seen connection limit configurations for Apache but I don't know them off the top of my head. I'll do some searching this evening if you haven't found it.

Doogee · Post by **Doogee** » Mon Feb 02, 2004 2:48 pm

He has a dynamic ip. And also i havent even found out what is ip is yet,

Void Main · Post by **Void Main** » Mon Feb 02, 2004 4:58 pm

Look in your logs. The default log for Apache would be /var/log/httpd/access_log. Use cat, grep, cut, sort -u, wc -l, etc, to determine who is hitting you hard and block them. You can block his whole range of IP addresses. I'm still not home so I'll check later to see if I can find anything more..

Doogee · Post by **Doogee** » Mon Feb 02, 2004 11:32 pm

thanks alot

Void Main · Post by **Void Main** » Tue Feb 03, 2004 12:54 am

I came up empty on any other ideas. Yep, I would just block his IP range. Better yet, send him an email virus as he sounds like a Windows user. Then he can annoy everyone instead of just you. :)

Here are a couple of scripts I wrote to block and unblock IP addresses:

block:

Code: Select all

#!/bin/bash
if [ $# -ne 1 ]; then
  echo "Syntax: `basename $0` <ipaddress>"
  exit
fi
if /sbin/iptables -L -n | grep -q $1; then
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - previously blocked"
else
  /sbin/iptables -A INPUT -s $1 -i eth1 -j DROP
  /sbin/iptables -A OUTPUT -d $1/32 -j DROP
  /sbin/service iptables save > /dev/null 2>&1
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - blocked"
fi

unblock:

Code: Select all

#!/bin/bash
if [ $# -ne 1 ]; then
  echo "Syntax: `basename $0` <ipaddress>"
  exit
fi
if /sbin/iptables -L -n | grep -q $1; then
  /sbin/iptables -D OUTPUT -d $1/32 -j DROP
  /sbin/iptables -D INPUT -s $1 -i eth1 -j DROP
  /sbin/service iptables save > /dev/null 2>&1
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - unblocked"
else
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - was not blocked"
fi

Master of Reality · Post by **Master of Reality** » Thu Feb 05, 2004 6:24 pm

I would suggest limiting requests with IPTABLES. Or you could get something like portsentry which will automatically block IP addresses who try to connect more than a certain limit.

Void Main · Post by **Void Main** » Thu Feb 05, 2004 7:27 pm

I think m0r has the secret here. Port sentry was making me mad the other day because I would scp some files from one machine to another and port sentry would the block the machine for some reason.

Doogee · Post by **Doogee** » Wed Feb 25, 2004 5:49 am

I dont think those scripts work on Slackware (no service command)

Could you see what you could do about making a slackware script, pleeease

Also i just saw someone in the logs trying to access a file called default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%thensomerandowgarblehere

It looks very sus, so when i get these blocker scripts going thats on IP that wont be seeing my site anymore

Void Main · Post by **Void Main** » Wed Feb 25, 2004 6:50 am

Doogee wrote:I dont think those scripts work on Slackware (no service command)

Then modify them so they do work. Instead of using the service command you can use the "iptables-save" command. See the man page.

Could you see what you could do about making a slackware script, pleeease

I thought the reason you guys use for running Slack is so you can learn more about Linux. ;) Really, you should be able to use iptables-save which is really all "service iptables save" does. Of course if you are using a firewall script you must take this into account to load this table on boot up. This method can actually be used in place of a firewall script (that is how Red Hat and many others including myself do it).

Also i just saw someone in the logs trying to access a file called default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%thensomerandowgarblehere

That's a Code Red or Nimda infected machine hitting you. Harmless, but annoying. Search for my Code Red threads. I used the scripts in this thread in combination with a couple of other scripts I whipped up and a couple of Apache rewrite rules to auto-block these addresses.

Doogee · Post by **Doogee** » Wed Feb 25, 2004 2:43 pm

yeha, ive never used iptables before