Apache - Need help stopping possible DoS attack

Discuss Applications
Post Reply
Doogee
administrator
administrator
Posts: 261
Joined: Fri Jan 10, 2003 1:40 am

Apache - Need help stopping possible DoS attack

Post by Doogee »

A friend of mine recently spoke to a person who told them they were makign a script to connect to my server and make like 500 requests in 30 seconds.


As far as i understand this could oops up my server pretty bad, especially seeing the server is only on a 512/128 connection (i think the guy who plans to do it is on the same)

Basically i need to know what i can do in the httpd.conf to stop this, or limit it to a point. I have changeed my maxrequests keepalive to "35" but im sure there is more i can do.

Unfortunately i have no firewall (except my router but its open on the webserver port, obviously) so i need to limit this through httpd.conf.



Please its pretty urgent, has anyone got ideas?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

You should have iptables installed in which case you can block his IP address. In fact you can can block IP addresses right in the Apache config but I prefer blocking with iptables though and prevent them from connecting to any port on my machine if they are butt heads. I do believe I have seen connection limit configurations for Apache but I don't know them off the top of my head. I'll do some searching this evening if you haven't found it.

Doogee
administrator
administrator
Posts: 261
Joined: Fri Jan 10, 2003 1:40 am

Post by Doogee »

He has a dynamic ip. And also i havent even found out what is ip is yet, :wink:

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Look in your logs. The default log for Apache would be /var/log/httpd/access_log. Use cat, grep, cut, sort -u, wc -l, etc, to determine who is hitting you hard and block them. You can block his whole range of IP addresses. I'm still not home so I'll check later to see if I can find anything more..

Doogee
administrator
administrator
Posts: 261
Joined: Fri Jan 10, 2003 1:40 am

Post by Doogee »

thanks alot :)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I came up empty on any other ideas. Yep, I would just block his IP range. Better yet, send him an email virus as he sounds like a Windows user. Then he can annoy everyone instead of just you. :)

Here are a couple of scripts I wrote to block and unblock IP addresses:

block:

Code: Select all

#!/bin/bash
if [ $# -ne 1 ]; then
  echo "Syntax: `basename $0` <ipaddress>"
  exit
fi
if /sbin/iptables -L -n | grep -q $1; then
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - previously blocked"
else
  /sbin/iptables -A INPUT -s $1 -i eth1 -j DROP
  /sbin/iptables -A OUTPUT -d $1/32 -j DROP
  /sbin/service iptables save > /dev/null 2>&1
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - blocked"
fi
unblock:

Code: Select all

#!/bin/bash
if [ $# -ne 1 ]; then
  echo "Syntax: `basename $0` <ipaddress>"
  exit
fi
if /sbin/iptables -L -n | grep -q $1; then
  /sbin/iptables -D OUTPUT -d $1/32 -j DROP
  /sbin/iptables -D INPUT -s $1 -i eth1 -j DROP
  /sbin/service iptables save > /dev/null 2>&1
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - unblocked"
else
  echo "`date +'%Y/%m/%d %H:%M:%S'` - $1 - was not blocked"
fi

Master of Reality
guru
guru
Posts: 562
Joined: Thu Jan 09, 2003 8:25 pm

Post by Master of Reality »

I would suggest limiting requests with IPTABLES. Or you could get something like portsentry which will automatically block IP addresses who try to connect more than a certain limit.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I think m0r has the secret here. Port sentry was making me mad the other day because I would scp some files from one machine to another and port sentry would the block the machine for some reason.

Doogee
administrator
administrator
Posts: 261
Joined: Fri Jan 10, 2003 1:40 am

Post by Doogee »

I dont think those scripts work on Slackware (no service command)

Could you see what you could do about making a slackware script, pleeease :wink:


Also i just saw someone in the logs trying to access a file called default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%thensomerandowgarblehere




It looks very sus, so when i get these blocker scripts going thats on IP that wont be seeing my site anymore :D

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Doogee wrote:I dont think those scripts work on Slackware (no service command)
Then modify them so they do work. Instead of using the service command you can use the "iptables-save" command. See the man page.
Could you see what you could do about making a slackware script, pleeease
I thought the reason you guys use for running Slack is so you can learn more about Linux. ;) Really, you should be able to use iptables-save which is really all "service iptables save" does. Of course if you are using a firewall script you must take this into account to load this table on boot up. This method can actually be used in place of a firewall script (that is how Red Hat and many others including myself do it).
Also i just saw someone in the logs trying to access a file called default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%thensomerandowgarblehere
That's a Code Red or Nimda infected machine hitting you. Harmless, but annoying. Search for my Code Red threads. I used the scripts in this thread in combination with a couple of other scripts I whipped up and a couple of Apache rewrite rules to auto-block these addresses.

Doogee
administrator
administrator
Posts: 261
Joined: Fri Jan 10, 2003 1:40 am

Post by Doogee »

yeha, ive never used iptables before :P

Post Reply