Attack?

Status
Not open for further replies.

charmed

Active Member
111
2010
18
0
Hi, guys,

I need your opinion.

I have VPS and on it SMF forum. 2 weeks ago, multiple IPs tried to get into members' accounts in same time. So I banned some of them. So all that ips started getting banned messages. And then I installed iptables.

Last week I moved to different host. Yesterday, multiple IPs (proxies) tried to get in again and got banned messages again. But they totally overwhelmed VPS. It was out of memory. And VPS kept shutting down. There were like 700 entries in ban log in 6 hours.

Then httpd was shut down and didn't want to start. So I had to use cleanup command and fixweb command to fix it. But forum is kinda slower now like it was right before attack.

Is there any way how to stop it?

Thank you for the answer
 
23 comments
Hey there, look at my signature, i have written quite a long tutorial on how to Secure your website, and i think V1rgin has a tutorial on how to prevent DDos attacks..
 
Thank you very much. Just reading it. :)

But I have problem with chkrootkit. When I use wget, I get "connection refused" error. Any idea?
 
chkrootkit does not prevent DDOS, Also it's probably a bruteforce attempt. you have to ip ban them nothing else that you can do, since they use multiple ip's it's hard to say if it's a bot or not.
 
My gosh. I just googled it and checked secure log and there had been really brute force attempt... I think. I'll tell it to Krunix as I have VPS from knownsvr... we will see. :) Anyway, thanks. :)
 
I did. Krunix told me to change SSH port so I did. And it helped.

I also blocked China in CSF as most attacks came from there.

Now... I keep getting a lot of proxies from different countries visiting forum. So it's overwhelming VPS. There is like 400 visits in less than hour. Krunix told me that only way how to stop them is block them through CSF one by one.

Isn't there any other way?
 
Are these individual connections or 1 or 2 IPs connecting 50-100 times each?

If yes use portflood to block IP. I usually use iptables but tthis is what I found on csf. I personally would use 5 connections for 80 and not 20 if you are being attacked.

Krunix should have told you about this opton.

PORTFLOOD is a comma separated list of:
port;protocol;hit count*;interval seconds

So, a setting of PORTFLOOD = "22;tcp;5;300,80;tcp;20;5" means:

1. If more than 5 connections to tcp port 22 within 300 seconds, then block
that IP address from port 22 for at least 300 seconds after the last packet is
seen, i.e. there must be a "quiet" period of 300 seconds before the block is
lifted

2. If more than 20 connections to tcp port 80 within 5 seconds, then block
that IP address from port 80 for at least 5 seconds after the last packet is
seen, i.e. there must be a "quiet" period of 5 seconds before the block is
lifted

More information about the ipt_recent module can be found in the iptables man
page and at http://snowman.net/projects/ipt_recent/

Note: Blocked IP addresses do not appear in any of the iptables chains when
using this module. You must manipulate the /proc/net/ipt_recent/* files as per
the module documentation to view and remove IP addresses that are currently
blocked if the blocks have not yet expired.

Restarting csf resets the ipt_recent tables and removes all of its blocks.

Note: There are some restrictions when using ipt_recent:

1. By default it only tracks 100 addresses per table (we try and increase this
to 1000 via modprobe)

2. By default it only counts 20 packets per address remembered

*This means that you need to keep the hit count to below 20.
 
cloudflare not auto block ip must doing manual blocking..this will be effect if you wrong bloking ip becouse will be block some member to access your site must careful
 
Thank you. So now I'm not sure if I try that CF or not. :(

That DDOS is seriously hardcore. :( Is there way how to block proxies in CSF?
 
I thought VPS hosting from KnownSrv is supposed to be Fully Managed, that would include helping with these kinds of problems.

Why isn't Krunix assisting you, the customer?
 
He does. And he is great. But in my country we say "more heads know more". :)

And he already optimized VPS for me, changed settings for better performance etc. And with what you told me to do. It's awesome combination which might help in the future to other people. :)
 
Why not just copy that list into the csf.deny file?

One per line. Looks like that list is in an excel spreadsheet so should be easy to get the IPs to a single line file you can add to the csf.deny file.
 
I did. :)

It's 2am and no attack today yet. Usually it starts at 11pm. So we will see. :)

I've been even thinking to change domain if it would keep continue.

btw. Hands down to you and Kruno, people. Without you all, I wouldn't know what to do. :)
 
I'm not sure how much it will help but try using cloudflare' dns. If not all, it will block quite a few of those ips (set security level to high).

If you are using CloudFlare, I also wanted to advise that you could try to set your server to accept only connections from our IPs. If the attack appears to be coming from a specific country (countries), you could also block them in your threat control panel (this will throw a challenge page up for all visitors from that region, which thwarts bots).
 
Wow. That looks great. Is it in free plan included?

Anyway, today was another attack. This time over 1000 IPs. Thankfully, Krunix optimized it very well so site was down only like for 10 minutes.
 
Yes, you can block countries and get most of security features of cloudflare with a free account. One of my sites was hit by a similar DDoS attack. I was able to control it to a large extent with cloudflare's help.
 
Yes, you can block countries and get most of security features of cloudflare with a free account. One of my sites was hit by a similar DDoS attack. I was able to control it to a large extent with cloudflare's help.

:| CloudFlare is not a DDoS Mitigation Solution

Its just a CDN which provides security features

They will suspend you if u get DDoS (High Level)
 
Status
Not open for further replies.
Back
Top