2

A website of mine is being attacked by some IPs. I don't even know if it was a ddos yet, I only know that it has been filling my application's logs for longer than a day, and then the server crashed due to mysql memory usage I guess (I received an automatic email from webmin saying that mysql went down)

I have access to Iptables, but I'm not sure if I want it to get filled of blocked ips.

I just wanted to know what is the most common practice in this scenario, I'm relatively new to server administration.

I'm using linux Centos, Apache, Php, and MySQL

HappyDeveloper
  • 325
  • 1
  • 3
  • 7

4 Answers4

4

Fail2Ban (http://www.fail2ban.org/) can work in conjunction with a firewall such as iptables to monitor log files and automatically add rules to block certain IPs based on various rules e.g. a certain number of incorrect password attempts.

Phil
  • 3,168
  • 1
  • 22
  • 29
0

If you have find the IP the addresses from which attack is performing then you can go with the steps for blocking the same. Its the common as well as the effective practice in such scenarios. After that, monitor the server more care fully and make sure that no other IPs are doing attacks.

If you find IP table rules as difficult to manage, use CSF.

CSF is a front end for IPtable rules.

Suku
  • 2,036
  • 13
  • 15
0

There are a couple of options depending on your infrastructure. Are you using an edge security device such as a hardware firewall (PIX, ASA, Sonicwall, watchguard, firebox, etc)? If so you can just black hole the IP's (set up a rule that sends all of their packets to some subnet that doesn't exist, or to a honeypot, /dev/null, etc). You could also just configure the device to drop everything that they receive.

If your server itself is directly on the internet or in a DMZ, you can set up iptables/ipchains to drop everything from that group of IP's. Your issue is a bit worse though if its originating from a botnet because the potential pool of IP's could be incredible.

Matthew
  • 2,737
  • 8
  • 35
  • 51
0

You can limit connetions per ip with iptables.

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

B14D3
  • 5,188
  • 15
  • 64
  • 83
  • of course it's example, you have to determine the best number of connections per ip for your website – B14D3 May 23 '11 at 13:56