DDoS find & protect

Posted onAuthorPeter KilianLeave a comment

What is DDoS and how can i deference? Many people try to defense against DDoS with a high bandwide. To protect yourself it is good to know how DDoS works.

A DDoS attack aimed at the weakest point that is usually the hard disk access or the CPU that means it often generates queries for PHP or the web server that require a lot of computing and memory to paralyze the page or Web Server or try to find the password and access through security holes.

First indication that your server is just being hacked is when the access to websites is very slow or no longer possible.

In htop (apt-get install htop) for debian or ubuntu (yum install htop) for Fedora or CentOS
over SSH you see in htop often:
/usr/bin/php-cgi -c /var etc/php.ini
as much as
apache (under the same user).

a view to the last 3 entries to the Access Log from the user for example
>tail -3 /var/www/vhosts/mypage.de/logs/access_log
shows us POST Requests to xmlrpc.php, a security risk from Wordpress. Here someone try to get access via Brute Force Attack.

163.172.183.150 - - [13/Oct/2016:22:37:54 +0200] "POST /xmlrpc.php HTTP/1.0" 503 1322 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
163.172.183.150 - - [13/Oct/2016:22:37:56 +0200] "POST /xmlrpc.php HTTP/1.0" 503 1322 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
163.172.183.150 - - [13/Oct/2016:22:37:57 +0200] "POST /xmlrpc.php HTTP/1.0" 503 1322 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

with a simple rule over IPTABLE we can block the access from the attackers IP and reduce the load for the server and make it accessible again.

# drop all packages from source IP
>iptables -I INPUT -s 163.172.183.150 -j DROP

163.172.183.150 stands as example from an attacker ip.

(it can also be an hacked system…) so it is useful to contact the owner

over a Reverslookup or a Database like https://db-ip.com/ and the WHOIS entry from nic.com/whois we get the data from the ip owner and can send him an email.

to block access to the xmlrpc.php you can remove the run rights by typing:
>chmod -x /var/www/vhosts/yourdomain.com/httpdocs/xmlrpc.php

to undo use:
>chmod +x /var/www/vhosts/yourdomain.com/httpdocs/xmlrpc.php

# to do this steps automatical u can use the programm fail2ban

a tutorial you can find under:

https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04

or

https://www.linode.com/docs/security/using-fail2ban-for-security

Leave a Reply