Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I run a linux server that hosts two file hosting sites. There is someone running an automatic script to keep downloading the same file and as a result maximizing the connections allowed in httpd.conf.
I have applied several modules like cband, and other techniques to block the user but nothing is working. I have blocked his IP thru iptables, and then he uses subset of IPs. I have even blocked subsets of IPs and he still attacks with different IPs all together then.
I have also added word verification, session timeouts, and everything else that I could think of and nothing has worked so far.
Can anyone please suggest a way to block this attack. If it is easier we can chat online as well. If someone can block this for me and tell me a sucessful solution I would gratefully pay for the help :-)
I have applied several modules like cband, and other techniques
Any particular User-Agent to spot? Tried mod_evasive? Anti-leech download thing that doesn't rely on IP address or referrer?
If it is easier we can chat online as well.
Simple rule. Ask question here, get answers here.
If someone can block this for me and tell me a sucessful solution I would gratefully pay for the help
You are not allowed to use money as an incentive hoping for more exposure or (more) expedient response. It is disrespectful towards your fellow LQ members. If you're satisfied with what LQ helps you with you can always donate to LQ.
I am sorry I did not want to offend the community by offering money for help, if I have done so I apologize.
So far I have not tried mod_evasive, is it a good module to detect attacks coming via proxy as well?
I have found the step by step instructions to install it when I do a google search for "mod_evasive" and click on the second link. (It is not allowing me to post the link here) Can you please let me know if this looks ok and would work as a good solution?
In addition to this are there any additional utilities that might help?
So far I have not tried mod_evasive, is it a good module to detect attacks coming via proxy as well?
It reacts per IP address, so if there's one of many people behind the same proxy or NAT device that fscks up, they all get blocked for the duration of DOSBlockingPeriod. Good suffer for the Bad.
I have found the step by step instructions to install it when I do a google search for "mod_evasive" and click on the second link. (It is not allowing me to post the link here) Can you please let me know if this looks ok and would work as a good solution?
They're all good as long as you pick the right values for your Apache-1 or 2 series config. Make sure you whitelist your management IP range. Then monitor and adjust. Do NOT block using Iptables firewall rules as stated on some sites unless you dump them in a temporary chain that gets cleaned up once so often.
In addition to this are there any additional utilities that might help?
I did menation looking for an anti-leech download thingie already. You could use filter user agents in the Apache config or use mod_security for that (setting another UA is easy). Or check out http://gentoo-wiki.com/HOWTO_Apache_...width_limiting (no mod_limitipconn or mod_throttle for Apache-2). Or Iptables modules like recent and hashlimit. Or host the files on FTP and make the FTP daemon throttle or set a cap. Or maybe trade in your Apache for another webserver, like LiteSpeed which has built-in IP level throttling (though only the std ed is free). Or run Squid in front of the webserver so the proxy takes the hits.
BTW, what category files are we talking about? Warez, carding, pr0n, literature (ooh, naughty), what? ;-p
I have installed and configured mod_evasive on the server now. I have tested it by running the test.pl file that comes with it. It is all installed properly but the attack is still getting thru :-(.
I even have mod_security running on it and still no luck. Can you please help with it someway?
OK. Here's what you can do for starters:
- ask the moderators of this forum to move your thread to the Linux Security forum,
- make a tarball out of your Apache configs and recent(!) Apache, mod_evasive, mod_security logs, saved firewall ruleset, /var/log/messages and any other configs and logs if you implemented other tools and cut off individual logs at 10MB each,
- post a D/L loc where we can get the tarball.
In the meanwhile you could, as a drastic measure, temporarily remove the targetted file from your docroot to stop downloading.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.