Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
There is less than 12 hours left to vote in the 2015 LinuxQuestions.org Members Choice Awards. Click here to go to the polls. Vote now and make sure your voice is heard!
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Now you can either use iptables to drop all incoming traffic from these guys, or you can use something like blockhosts.
"Moving" your server does nothing if they're following your Domain Name. Depending on your ISP for security is like depending on a Car Salesman to change your oil.
But they have dynamic ip addresses. They are using classic adsl. Probably they are some jerk teenagers who keep changing their ips.
Also I moved my server because I need a more secure datacenter and the old isp did't make any help for dealing with the attack. So I didn't move the server to block attack, I moved because of for better protection. But as situation states, I didn't get.
Last edited by Seregwethrin; 02-09-2011 at 10:44 AM.
There's a few options for dealing with those kinds of people.
1)Blockhosts to cut them off (that's what I use).
I setup each of my webservers to ban an IP for one month when it receives two errors from the webserver. 2) Start blocking whole IP Ranges that they're coming from.
(I've attached every IP range assigned to Turkey) 3) Limit every IP address to 10 connections to port 80 (via iptables)
(I'm looking up how to do this now...saw it in an LQ thread once)
NOTE: They may be doing more to you than just (D)DoS'ing. Check the logs for your other services (especially SSH!).
Checking out the file now, however a few questions about how the site is built.
1) Is this a MySQL+PHP site? (aka: Does it have a lot of Dynamic content) 2) How much (if any) of the site is static pages? 3) Are you using this site to generate income, or is this a pet-project (how critical is this?)
They can't be doing more to me because I've two ips and I use one to connect to ftp ssh etc, and the other has only port 80 open. They couldn't have known the other ip. I set restrictions via iptables.
Well I can't block ips from Turkey because my website is for Turkish gamers.
And yes it's a php mysql website, actually it is vbulletin forum just like here. To be more specific it's a website (moreover it's a forum) for world of warcraft turkish gamers but it's the biggest in turkish language. Of course the forum has its competitors and probably they are responsible.
There is like no static pages. Every page is php.
And no I'm not getting any a income. Yes I get something in return at avg 150-200$ dollars in a month but I'm giving more then I get as time and work basis. I just don't want to close it because it is useful to people, I don't use it actually, I even don't play games. I opened it in while I was still in high school 6 yeas ago so it has a nostalgic history for me too.
Last edited by Seregwethrin; 02-09-2011 at 11:26 AM.
Well, in that case it sounds like it's not worth investing serious monetary resources into keeping this thing online through the attack. I would suggest replacing your index.php with a simple html maintenance page. This will keep the website online, and the attackers will eventually just give up, as they shouldn't be able to overwhelm the server resources when you have a simple page up.
Sounds like an awesome site, let's see if we can give these PFY's a run for their efforts. However...
Do NOT assume they don't know the other IP. Be sure to check your logs for any SSH login attempts. They could be trying to distract you with a (D)DoS while they attempt to take over the server.
#Detect DoS attack by limiting to 12 connections/sec
iptables -N syn-flood
iptables -A syn-flood -m limit --limit=12/s --limit-burst 24 -j RETURN
iptables -A syn-flood -j DROP
WARNING: Be careful with iptables! You can lock yourself out of your box if you're not careful.
Well we can see the ips, why there's no software to check them for example every minute and block them? I still didn't dig into BlockHosts but I'll definitely. I hope it does what I want and works with nginx.
And I checked netstat with your iptables rules. I still can see hundreds of attacking ips but they look like they don't harm the server at least for now.
So your site is up? Cool! (What's the address? I kinda wanna check out the site )
If there were any other helpful posts, be sure to click "Yes" in the bottom right-hand corner of those posts.
Also, if your problem has been solved, use "Thread Tools" at the very top of the page to mark this as [SOLVED].
EDIT: Blockhosts is used to parse log files and throw a ban on any IP that shows up in the logs.
I've not worked with nginx before, so I don't know if the connections from the "bad guys" are showing up a certain way. If they're doing something besides opening a bunch of connections, the logs should show it, so you can ban 'em.