+10 votes
1.3k views
in Linux by (11.7k points)
hello,
 
See if someone can help me:
 
I have a VPS Plesk (Ubuntu Server), and from the 31 you are getting a DDoS attack from a large number of addresses (mainly from Iran, India, Malaysia, Kazakhstan, ....., although there also addresses such France and Argentina, not whether this information can be useful)
 
Reviewing the logs, I see that one of the hosted domains is receiving connections with the following information:
 
[IP_ORIGEN] [datetime] "POST / HTTP / 1.1" 200 13026 "-" "Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 
That is, try to inject some kind of content that spans about 13kb (several sizes, the most common is that). The USER-AGENT (Mozilla 4.0 ....) is always the same, but changes the IP, so I assume it's some sort of virus that is identified as an Internet Explorer 6. There are several connections per second, which logically consume the maximum number that I have configured the apache server, and prevent the webs work, if I increase the number of connections can I load the page, but saturate the server's memory and slow work.
 
Furthermore, also the smtp server is me getting hundreds of connections, in this case the file /var/log/mail.info have lines how are you:
 
[Date] [nombre_de_mi_servidor] postfix / smtpd [NUMBER]: connect from unknown [IP ADDRESS]
 
[Date] [nombre_de_mi_servidor] postfix / smtpd [NUMBER]: disconnect from unknown [OTHER IP ADDRESS]
 
[Date] [nombre_de_mi_servidor] postfix / smtpd [NUMBER]: lost connection after UNKNOWN from unknown [IP ADDRESS]
 
In one second I can have about 20 lines
 
Any idea how I can block this considering that a large number of IP addresses, and are not repeated many times (I do not think I can add a rule to based on the number of connections per minute firewall, because there may be 2 in the same minute and that IP does not return until several hours later)?
 
I tried for several hours to stop the apache server and postfix, but to restart restarts traffic, now I tried to disable the particular domain was receiving requests, but for now the traffic continues. For what it's worth, the page is made with an outdated wordpress (I did not, and do not dare touch it because there are things that do not work well and could leave unused)
 
Thank you very much to all and any suggestions are welcome
by (11.7k points)
Thank you very much for the 2 answers, for now I have the operational server after having limited about 40 subnets and several individual IP addresses, although I consider the individual IPs not much to block them, as if the attack comes from an infected pc, is very likely to be a dynamic IP, so tomorrow could be that team attacking me from another IP, and block subnets (especially as I did with mask 255.0.0.0), is a rather drastic measure (I'm blocking 16 million addresses in each line of iptables) I'm looking website cloudflare, service did not know, and looks good, I think I'll try, and also will look the fail2ban for mail I hope this thread will serve to others who may be in a similar situation.

2 Answers

+11 votes
by (26.3k points)

Dear friend,

The best thing to do with your server, because although you block the traffic with IPTables, this will continue coming to your server and counting in the monthly calculation, is to configure the site (or sites) web (or all domains VPS) that are being attacked with the free version of cloudflare ( https://www.cloudflare.com/ ).

This will protect you from DOS and DDOS attacks and your server will be "invisible" from the Internet. Once done, you only have to worry of SMTP that is somewhat easier to eradicate with tools like fail2ban among others.

A greeting,

+12 votes
by (10.4k points)
Hello! It is common for there to try botnets dedicated connections servers in the network for holes and vulnerabilities (in pages for malicious code injection and mail servers looking for weak passwords). The only way to cut this type of attack is through Iptables, and which cuts the connection. To block an IP using iptables: iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
by (11.7k points)
Thank you, something I am so trying, albeit address blocks (-A INPUT -s 1.0.0.0/8 -j DROP, to block all network addresses 1.xxx.xxx.xxx), the problem is that many different directions. Another test I did was cancel the original index.php and put one of wordpress nothing to do with it at least I see that there is less traffic (does not help me much, because they fall more connections) continue to work, and responsive to messages if someone else comes up with something.
Ask a Question
Welcome to WikiTechSolutions where you can ask questions and receive answers from other members of the community.

You can ask a question without registration.

Categories

...