Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It shows thousands of IPs are on server. My server is also down BTW. I do not know how to block such kind of attacks. Attached is the screenshot of the tcpdump. Please PM me if you want to have a look at the complete tcpdump.
I don't know whether or not this will help, but I offer it anyway. I did a short gig with a hosting service. It sometimes happened that a website on a shared hosting machine would get DDoS'd, which would bring down the entire server, as they all shared the ip address of the server.
The hosting service's strategy to "mitigate" (their term) the attack was to move the other websites off to a different server to get them out of the line of fire.
A web search for "mitigate ddos" will turn up lots of articles; perhaps you can find something there.
Hi all,
Thanks for you reply. I captured the packets and found it's a Wordpress pingback attack. There are thousands of IPs involved in the attack on only port 80. I used following rule to block this attack:
This rule is from this site. It works all fine. However, the IPs keep coming back and my system tried to keep blocking the packets. I want to log the list of all these IPs which contain "WordPress" in the header. Is it possible to do it?
You should be able to use grep to extract the list of hits containing the string "WordPress" in them and save them to a file. For example
Code:
cat [somelog] | grep WordPress > [somefile]
"cat" reads the file, "grep Wordpress" extracts lines containing that string (note that it is case sensitive), and "> [somefile]" sends the output to a file of your choosing. You can then examine the file in a text editor.
Thanks for the reply. I am aware of these commands. However, I couldn't find the log file where it is keeping the track of all this. Also I find out loads of following messages in dmesg:
You should be able to use grep to extract the list of hits containing the string "WordPress" in them and save them to a file. For example
Code:
cat [somelog] | grep WordPress > [somefile]
"cat" reads the file, "grep Wordpress" extracts lines containing that string (note that it is case sensitive), and "> [somefile]" sends the output to a file of your choosing. You can then examine the file in a text editor.
I would guess that, as you are using nginx, they are somewhere in the nginx logs.
I've not used nginx, but I have used Apache, and Apache logs everything. I assume that nginx does the same, but I fear I cannot suggest where you should look.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
