0

I am having problems with what seems to be someone attacking my server. I have plesk 12 and Fail2Ban and ModSecurity Installed but it doesn't seem to be helping with the following. Someone from an ip address keeps causing the following traffic when I check with wireshark:
162.916029 x.x.x.x -> 69.207.6.43 HTTP Continuation or non-HTTP traffic
162.916034 x.x.x.x -> 69.207.6.43 HTTP Continuation or non-HTTP traffic
162.916041 x.x.x.x -> 69.207.6.43 HTTP Continuation or non-HTTP traffic
162.916045 x.x.x.x -> 69.207.6.43 HTTP Continuation or non-HTTP traffic
162.916051 x.x.x.x -> 69.207.6.43 HTTP Continuation or non-HTTP traffic

This is causing the apache process to consume a lot of CPU resources. I am guessing it is a small DDOS attack. The CPU on the server itself doesn't show that bad of a load when I check with top.

I am trying to figure out whether there is a method in fail2ban or modsecurity to automatically filter this type of traffic instead of having to get a cisco firewall.

Ryan A
  • 103
  • 1
  • 7
  • If this activity is logged somewhere you can create new jail and filter in Fail2ban to ban source IP addresses. – Oleg Neumyvakin May 05 '15 at 06:05
  • I am serious newbie at both fail2ban and mod security. There a couple of different attacks happening. Two were just bots trying to login to cms platforms on the IP address. It was slowing down the server so much I decided to change the ip and that decreased some of the load on the server. I still see different ips making too many requests in a short period of time. Is there a script out there that allows detection of bad ips through access_log on apache and then create rules to block those ips through ip tables? Or do you suggest a different method? – Ryan A May 05 '15 at 13:02
  • Fail2ban can do it, but you have to create filter rules(it's possible to do via Plesk GUI). If you share examples of log strings of this activities I can suggest filter rules. – Oleg Neumyvakin May 05 '15 at 15:49

0 Answers0