0

I am trying to configure the WordPress and NodeJS website together and I am using an apache2 server and ubuntu(20.04) virtual machine. I configured both applications successfully on my machine but after some time, I start getting unusual site down notifications from my monitoring system. When I checked my Ubuntu machine using htop then I found that there are so many tasks going on and when I checked things in more detail then I found that the apache server calling itself again and again which creates load on apache server and ultimately leads to site down.

I also checked the number of requests which my server is getting then I found that my server is also getting so many unusual requests from different IPs. So, I think it may be a DDos attack. So, I terminated my machine and create a new machine for this but got the same issue on my new machine.

I have no idea why this happening to my machine. If anyone has any idea then please reply.

HTOP output: htop output

Apache status output: apache status output

IP requests output: IP address requests

Piyush Mittal
  • 101
  • It certainly looks like your server is getting a lot of requests from parties that probably don't have anything to do with your server. Try mod_qos https://fedingo.com/how-to-limit-requests-per-ip-in-apache/ or request a different IP address. – Gerrit Feb 28 '22 at 08:18
  • this is common. bots are randomly scanning servers all over the Internet, and they randomly testing URL that might be vulnerable, and will exploit it when they found it – Sharuzzaman Ahmat Raslan Feb 28 '22 at 09:04
  • @SharuzzamanAhmatRaslan Is there any solution to this issue because it's occurring again and again with me every instance. – Piyush Mittal Mar 01 '22 at 12:04
  • @Gerrit I tried your solution but nothing happened. everything is same. – Piyush Mittal Mar 01 '22 at 13:14

1 Answers1

0

So, apparently, mod_qos did not help. Sometimes, the load is too low-level on the network, for Apache modules to effectively mitigate it.

A more low-level block can be tried with iptables.

iptables -I INPUT 2 -p tcp -s z.y.z.w -m comment --comment "whitelist ip 1" -j ACCEPT
iptables -I INPUT 2 -p tcp -s z.a.b.c -m comment --comment "whitelist ip 2" -j ACCEPT
iptables -N WEBTHROTTLE
iptables -A WEBTHROTTLE -m recent --set --name WEB --rsource
iptables -A WEBTHROTTLE -m recent --update --seconds 60 --hitcount 200 --name WEB --rsource -j LOG --log-prefix "Anti Web-Bruteforce: " --log-level notice
iptables -A WEBTHROTTLE -m recent --update --seconds 60 --hitcount 200 --name WEB --rsource -j DROP
iptables -I INPUT 4 -i if-entry -p tcp -m tcp --dport 443 -m state --state NEW -j WEBTHROTTLE

This does require that you already have some INPUT rules. The numbers directly after INPUT are the insertion point in the order of the rules. Everything after that number will shift one number up. In the last rule you should replace with something like eth0/ens192, the interface of entry.

Similar rules can be used on ip6tables.

To get a list of your current rules:

iptables -S INPUT
Gerrit
  • 1,552
  • 8
  • 8
  • I implemented the above commands on my machine. But I am getting some errors for the above two commands. iptables v1.8.4 (legacy): host/network `z.y.z.w' not found Try `iptables -h' or 'iptables --help' for more information. – Piyush Mittal Mar 01 '22 at 19:19
  • z.y.z.w is just an example of an ip-address that you could whitelist. For example the ip-address that you use to do your own sessions. – Gerrit Mar 01 '22 at 21:23
  • Okay, But I have to make my website open for the public. So, In that case, how other people going to access the website. – Piyush Mittal Mar 02 '22 at 04:22
  • And I also noticed a very different thing, if I add a domain name on my website IP and then try to access it then it's working fine but I try with my ipv4 directly then it's almost not accessible. – Piyush Mittal Mar 02 '22 at 04:25
  • This is just a rate block, it doesn't make the site unreachable. And the rates given are very high. If you need that high rates, then the server is too light anyway. – Gerrit Mar 02 '22 at 07:40