LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-08-2006, 02:29 PM   #1
jitenagr
LQ Newbie
 
Registered: Nov 2006
Posts: 3

Rep: Reputation: 0
Server Attack


Hi,

I run a linux server that hosts two file hosting sites. There is someone running an automatic script to keep downloading the same file and as a result maximizing the connections allowed in httpd.conf.

I have applied several modules like cband, and other techniques to block the user but nothing is working. I have blocked his IP thru iptables, and then he uses subset of IPs. I have even blocked subsets of IPs and he still attacks with different IPs all together then.

I have also added word verification, session timeouts, and everything else that I could think of and nothing has worked so far.

Can anyone please suggest a way to block this attack. If it is easier we can chat online as well. If someone can block this for me and tell me a sucessful solution I would gratefully pay for the help :-)

Regards,
jay
AIM: ndnfromcal
MSN: jitendra87@hotmail.com
 
Old 11-08-2006, 04:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,279
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
I have applied several modules like cband, and other techniques
Any particular User-Agent to spot? Tried mod_evasive? Anti-leech download thing that doesn't rely on IP address or referrer?


If it is easier we can chat online as well.
Simple rule. Ask question here, get answers here.


If someone can block this for me and tell me a sucessful solution I would gratefully pay for the help
You are not allowed to use money as an incentive hoping for more exposure or (more) expedient response. It is disrespectful towards your fellow LQ members. If you're satisfied with what LQ helps you with you can always donate to LQ.
 
Old 11-08-2006, 06:20 PM   #3
jitenagr
LQ Newbie
 
Registered: Nov 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Help

Hi,

I am sorry I did not want to offend the community by offering money for help, if I have done so I apologize.

So far I have not tried mod_evasive, is it a good module to detect attacks coming via proxy as well?

I have found the step by step instructions to install it when I do a google search for "mod_evasive" and click on the second link. (It is not allowing me to post the link here) Can you please let me know if this looks ok and would work as a good solution?

In addition to this are there any additional utilities that might help?

Regards,
Jay
 
Old 11-08-2006, 08:58 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,279
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
So far I have not tried mod_evasive, is it a good module to detect attacks coming via proxy as well?
It reacts per IP address, so if there's one of many people behind the same proxy or NAT device that fscks up, they all get blocked for the duration of DOSBlockingPeriod. Good suffer for the Bad.


I have found the step by step instructions to install it when I do a google search for "mod_evasive" and click on the second link. (It is not allowing me to post the link here) Can you please let me know if this looks ok and would work as a good solution?
They're all good as long as you pick the right values for your Apache-1 or 2 series config. Make sure you whitelist your management IP range. Then monitor and adjust. Do NOT block using Iptables firewall rules as stated on some sites unless you dump them in a temporary chain that gets cleaned up once so often.


In addition to this are there any additional utilities that might help?
I did menation looking for an anti-leech download thingie already. You could use filter user agents in the Apache config or use mod_security for that (setting another UA is easy). Or check out http://gentoo-wiki.com/HOWTO_Apache_...width_limiting (no mod_limitipconn or mod_throttle for Apache-2). Or Iptables modules like recent and hashlimit. Or host the files on FTP and make the FTP daemon throttle or set a cap. Or maybe trade in your Apache for another webserver, like LiteSpeed which has built-in IP level throttling (though only the std ed is free). Or run Squid in front of the webserver so the proxy takes the hits.
BTW, what category files are we talking about? Warez, carding, pr0n, literature (ooh, naughty), what? ;-p
 
Old 11-09-2006, 01:16 PM   #5
jitenagr
LQ Newbie
 
Registered: Nov 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Please help

I have installed and configured mod_evasive on the server now. I have tested it by running the test.pl file that comes with it. It is all installed properly but the attack is still getting thru :-(.

I even have mod_security running on it and still no luck. Can you please help with it someway?

Regards,
jay
 
Old 11-10-2006, 06:50 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,279
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
OK. Here's what you can do for starters:
- ask the moderators of this forum to move your thread to the Linux Security forum,
- make a tarball out of your Apache configs and recent(!) Apache, mod_evasive, mod_security logs, saved firewall ruleset, /var/log/messages and any other configs and logs if you implemented other tools and cut off individual logs at 10MB each,
- post a D/L loc where we can get the tarball.
In the meanwhile you could, as a drastic measure, temporarily remove the targetted file from your docroot to stop downloading.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server under some form of attack English_Man Linux - Security 1 10-30-2005 01:03 PM
server crashing...under attack? sneakyimp Linux - Security 4 10-23-2005 04:37 PM
Mysql Server ...virus Attack Found ! my-unix-dream Linux - Newbie 9 05-15-2005 11:35 AM
is this a attack to my web server ohcarol Linux - Security 1 12-29-2004 08:59 AM
Server Attack...every day, help:( xmanxl Linux - Security 22 08-19-2004 02:38 PM


All times are GMT -5. The time now is 11:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration