Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is this level of traffic unusual for your host? There are only 102 connections (in various states) in the output you posted.
If this is overwhelming your server resources, you're going to need to look at limiting client connections. Which MPM are you using? If you don't know, post the output of:
Actually, I suspect not. There aren't that many open connections (well, not that many for a DDOS...it could just be an inept DDOS attack, of course) and quite a few of the connections are in '...waiting...' or '...ack...' states.
My suspicion is that there is something not quite right with, eg, the firewall and connections are hanging around in 'part-way-through' states.
Can you have a look and check that the firewall ruleset doesn't have anything suspicious in it?
Of course, you don't want to get complacent and not do anything about it just because it might be something else. If you can't quickly prove that it is something else, for safety, you probably have to assume its a DDOS until proved otherwise.
Actully my log is too big of about 500MB and also the connection that i posted are few only...Now attached the full list of about 30KB.can you check it and tell me please..
As every night at 11Pm and morning 5Am my httpd has too many process running on it...and it takes soo much time to login into my ssh at that time...I've checked my access log but i can't figure out whats wrong..can you tell was iam under DDOS attack or not?
Here is an update from my error log what i feel suspecious...
Code:
[Thu May 28 00:10:07 2009] [notice] SIGHUP received. Attempting to restart
[Thu May 28 00:10:08 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu May 28 00:10:08 2009] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Thu May 28 00:10:08 2009] [notice] Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.9 Mod_Security 2.5.9 enabled configured -- resuming normal operations
[Thu May 28 00:11:01 2009] [notice] caught SIGTERM, shutting down
[Thu May 28 00:11:03 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu May 28 00:11:03 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 28 00:11:03 2009] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Thu May 28 00:11:03 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.
[Thu May 28 00:11:03 2009] [notice] Original server signature: Apache/2
[Thu May 28 00:11:04 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu May 28 00:11:04 2009] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Thu May 28 00:11:04 2009] [notice] Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.9 Mod_Security 2.5.9 enabled configured -- resuming normal operations
[Thu May 28 00:33:46 2009] [error] [client 127.0.0.1] File does not exist: /var/www/html/redir, referer: http://127.0.0.1/
[Thu May 28 00:33:46 2009] [error] [client 127.0.0.1] File does not exist: /var/www/html/404.shtml, referer: http://127.0.0.1/
[Thu May 28 00:42:10 2009] [error] [client 81.172.1.139] File does not exist: /var/www/html/b4g8zp.jpg, referer: http://www.legendarydevils.com/tv-sh...-episodes.html
[Thu May 28 00:42:10 2009] [error] [client 81.172.1.139] File does not exist: /var/www/html/404.shtml, referer: http://www.legendarydevils.com/tv-sh...-episodes.html
[Thu May 28 01:29:28 2009] [error] [client 190.11.65.181] request failed: error reading the headers
[Thu May 28 01:30:21 2009] [error] [client 72.234.148.150] Invalid URI in request HTTP/1.1 200 OK
[Thu May 28 01:30:21 2009] [error] [client 72.234.148.150] File does not exist: /var/www/html/400.shtml
[Thu May 28 01:43:52 2009] [error] [client 87.106.65.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Thu May 28 05:03:27 2009] [error] [client 203.87.176.18] request failed: error reading the headers, referer: http://www.legendarydevils.com/windo...untouched.html
[Thu May 28 07:12:10 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/adserver, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
[Thu May 28 07:12:10 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/404.shtml, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
[Thu May 28 07:12:12 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/st, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
[Thu May 28 07:12:12 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/404.shtml, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
exim: SIGTERM received - message abandoned
exim: SIGTERM received - message abandoned
exim: SIGTERM received - message abandoned
exim: SIGTERM received - message abandoned
exim: SIGTERM received - message abandoned
exim: SIGTERM received - message abandoned
exim: SIGTERM received - message abandoned
[Thu May 28 07:40:20 2009] [warn] child process 2374 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2746 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2858 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2418 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2474 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2666 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3098 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3102 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2507 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3119 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3139 still did not exit, sending a SIGTERM
.
.
.
.
@dheeraj4uuu: A simple question for you -- do you want to lower the limit on client connections at the Apache web server level or not? I don't quite follow your analysis, but if you feel restricting client connections is a possible solution, then please post the output of the command I mentioned earlier in the thread.
I just want to block the attack thats it..whatever u ask me to do to stop the attack i will do...But 1 thing i get a lot of visitors daily of about 35k....
@dheeraj4uuu: We don't precisely know if you are under attack. You need to be monitoring your server for normal and peak activity, and then pay attention to unusual patterns. What sort of access_log activity do you see from the suspected DDOSers?
You're using the prefok MPM, which you can read about here. If this extra web server activity is causing your server itself to be overwhelmed, I would recommend carefully tweaking the MaxClients directive to something more appropriate.
Note that this is not a silver bullet. It may cause legitimate clients to have to wait (and in really bad cases, time out). But this is the way to reduce the load on your server.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.