Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I meet a serious problem, there is only one domain, only one website on my LAMP, but from past night, I got 10G+ access.log, the content is like the following:
The problem is you're running a web site on a public IP. There's nothing you can do to prevent scans like this. Everyone gets them.
Assuming that the real problem you're asking about is the big log file (you didn't mention any other effects of this "attack"), then you can turn off Apache logging in httpd.conf. Or (though I'm not sure of this) maybe a program like fail2ban can be configured to notice things like this and set iptables to drop further connections from offending IPs.
The problem is you're running a web site on a public IP. There's nothing you can do to prevent scans like this. Everyone gets them.
Assuming that the real problem you're asking about is the big log file (you didn't mention any other effects of this "attack"), then you can turn off Apache logging in httpd.conf. Or (though I'm not sure of this) maybe a program like fail2ban can be configured to notice things like this and set iptables to drop further connections from offending IPs.
You can use an appliance, or VM such as FortiWEB to block scans like these. Also, an IPS/IDS will catch something like this and block access from the source IP in the router/firewall.
Thanks very much, but I do not think it's a common problem, it takes me 300+ connections per mins, I think maybe i need to something applications to ban them.
Um, are you using this as some sort of a proxy? All of those log entries are successful connections, and I have a hard time believing your hosting all of those sites.
Thanks, the problem is : it's not really IP address in access_log, you see, 203.152.222.81.static.zoot.jp, I do not think fail2ban should solve these type of ip address.
If you really are experiencing a DDOS situation, which I don't see that there is evidence that you are, then it would mean that you have angered the wrong group and attracted their attention. A DDOS requires a significant amount of resources, such as a large bot net, as well as centralized control. You would also be seeing symptoms that are a lot more severe than a log full of garbage entries. Additionally, I believe you would be seeing an overload of attempts to access YOUR resources, not connect GET strings from your Apache's access log. Please confirm, these connections are originating with YOUR web server, not from traffic from your web browser?
Your original post mentions that you are running one website and one host. In your reply to me, you mention disable ALL virtual hosts. Please clarify, as I consider multiple virtual hosts to be multiple web sites and this impacts how you need to proceed.
One thing that this made me think of is: are you perchance running any sort of advertisement, or rss news feed on your website that would cause it to go to different places to pull in content? Also, to be impacted by XSS, you would need to be accepting input from users and then redisplaying this content on your site. What type of site are you running and does it have active content from your users, e.g. a forum or comment section?
Sorry for the uncleared information, I have never met DDOS before, it's the first time. Let me describe more about the 'attack', and what steps I have tried.
First, at the first day, I find the traffic of my LAMP is very very heavy. There are two virtual hosts on my Apache, nothing for serving, only two index.php in web root, the content is simple text: 'this is domain1' and 'this is domain2'.
It is impossible to be having too much traffic, 9MB per second from #iftop. So I start to track the issue.
1. I tried to upgrade sshd, httpd.
2. I tried to check the status of all my configuration.
I am sure nobody change my httpd.conf, sshd.conf, my index.php in web root.
After that, I remove one of the virtual host, including delete index.php and web root folder (/var/www/domain1), issue didn't solved.
Then, OK, let me remove all virtual hosts, issue didn't solved.
Check the logs again, dummy-domain-log is normal, nothing special, only the default access_log contains the entities I mentioned before.
Then, I start to remove everything about httpd, then install a fresh httpd with last version. Issue didn't solved.
About proxy? I start to remove everything about mod_proxy and mod_ftp_proxy,mod_http_proxy
Issue didn't solved.
Is it about apache? OK, I change the port from 80 to 8080, issue solved, #netstat -ant, no so many connections.
Next, I shut down httpd server, start up a very simple wsgi server return 'hello' to all requests, not luck, many connections destroyed my wsgi server.
At last, I do not know what to do next.
That's all what I met and what I did, I have no experience about it. Sorry if I submit too many unclear information, I hope I describe myself clearly.
Something isn't making complete sense. In your original post, what log file did you post from (file name and path please)? If that was your Apache access.log file it indicates that something is amiss as it shows connections from various user agents going to sites that are not part of your domain. In my opinion, the nature and origin of these connections is something that needs to be identified conclusively. From what I can see in the logs and from what you are telling me (not a proxy, and a simple web page with no content being served up), as much as I am loathe to say it, I would be looking very closely for a possible compromise as something appears to be using your system to connect to these locations using various browser agents.
Netstat will show you connection attempts. I would suggest, as root, running netsat -pane and also lsof -pwn and see if you can tie the connections back to an active process running on your system. You will see all the connection, inbound and outbound. If you run a web browser, you will get lots of connections. On the inbound, much of this is just noise. It generally does not indicate that you are under any form of attack. If you are getting so many connections that your web server fails to function, that is a problem and you will need to deal with it. This is the impression I am getting from your last post.
One of the first things I would recommend is the application fail2ban which will put a temporary block on an IP that attempts to access invalid site locations. This is generally enough to stop the scripts and bots. There is a chance that you have inherited an IP address that was home to a game server or something that attracts a lot of attention and you are not set up to handle it. Fail2ban will help. Next, you can look to see if these are coming from a particular IP or set of IPs and block those, or even block the ISP. If this stops it, you know that it was a dumb script running in the background. If it moves are re-appears you know that there is more intelligence behind the activity and that you are being targeted for something. If that does not work, I would start looking at more advanced methods, but developing the correct action, will depend on actual, factual, log based information. For example, it will be necessary to determine if you are experiencing a sync flood, a slow loris, etc. Therefore, if fail2ban does not solve your problem I would suggest starting a new thread in the security forum on the subject and reference this thread with a link.
Last edited by Noway2; 06-10-2011 at 11:43 AM.
Reason: bold text
Thanks, the problem is : it's not really IP address in access_log, you see, 203.152.222.81.static.zoot.jp, I do not think fail2ban should solve these type of ip address.
Looking at that log snippet you posted, the first hit there from 203.152.222.81 is a valid ip, but then the rest of them have that extra junk
appeneded on them... Very odd.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.