LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-12-2018, 05:28 PM   #1
yeknafar
LQ Newbie
 
Registered: Jul 2018
Posts: 10

Rep: Reputation: Disabled
Attacker IPs do not go through my cload


Hello

Thanks for your attention.
I am using a cload to prevent DDOs attacks on

my site and it is supposed just I see the IP of

my cload on my server but when I check it with

netstat -ntu | awk '{print $5}' | cut -d: -f1 |

sort | uniq -c | sort -n

I see many strange IPs and when I Google them I

find they are attacker IPs.


- I am using centos web panel (CWP).

Now I wonder:
- Why they come to my site directly and do not

go through the cload to prevent them? (I do not

think they have my IP, I have used 2 different

cloads)

- I ban them manually, can it becomes an auto

action?
- Are they doing Slowris attack on my site?

(Because I receive for example 335 load average

and database error sometime or even 3 times a

day with low bandwith)

- Is it a good job to ban the most famous

attacker IPs ? If yes how can I get the list?


Thanks
 
Old 07-13-2018, 08:17 PM   #2
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: High Sierra
Posts: 9,058
Blog Entries: 37

Rep: Reputation: Disabled
191 ways to echo hello world on the command line

So far, you're doing what should be done, in my opinion only.

Cloudfl can partially mitigate a low-to-modeate threat simply by pointing your NSs (Nameservers) at their service.
Cloudflare was started and staffed by the same team that gave us Project HoneyPot. Good stuff.
It's been a few years but they are pretty good and I give that team Mad Props.

The next "God, that wasn't so hard" is "centralized logging" and by that I speak of Elasticserch, Logstash, and Kibana, or "ELK".
https://duckduckgo.com/?q=ELasticsea...ean.com+centos
ELK and others are the shit.

Why they come to your server?
I don't know that answer, but I do know we shouldn't take it personally.
centos-webpanel features csf and I recommend you at poke around http://forum.centos-webpanel.com/csf-firewall/ and "get a feel"
WhM/cPanel was a big fat Target, so maybe this is too?

Close the database port to the world?
ELK "later", ok?

Code:
cat x | grep y | grep z | awk
... is old-as-dirt

But...that is also another good skill to have. Comfort at a text prompt.

ELK can slice and dice:
Visualizing Logs Using ElasticSearch, Logstash and Kibana - YouTube

Continue to do as you have been.
That's a good habit to have.

An Intro to badbots was an eye-opener for me.
Details that I found in my logs every dayfor seven years.
Been centralizing w\ELK ever since.

An Intro to badbots may offer you some hope of keeping this under control..
I'd love to grep your logs.
You familiar with the Apache webserver LogFormat directive?
Me either, so....Ha!

IDK how far I can encourage you, since I don't know what your equipped with or skilled to accomplish.
Secure your Apache server from DDoS, Slowloris, and DNS

I'll check in "in a few"...see how you are getting on.
Be encouraged.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Attacker IPs yeknafar Linux - Security 3 07-13-2018 06:40 PM
LXer: Most popular cload projects, Walmarts investment in open source, and more LXer Syndicated Linux News 0 08-29-2014 11:51 PM
iptables blocking all ips except US & US Amazon. Can't log dropped IPs. mcginlej Linux - Networking 3 10-08-2013 12:18 PM
Getting things straight: Apache, SSL, Multiple External IPs / Internal IPs robin.com.au Linux - Server 21 10-13-2007 11:39 PM
How about this attacker? pe2338 Debian 5 09-03-2003 05:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration