1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Disect a web attack

Discussion in 'Plesk for Linux - 8.x and Older' started by Amin Taheri, Sep 28, 2007.

  1. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    Lets say that my web server (one of them, mutliple, w/e doesnt matter) is being "attacked", and as a result the CPU of the box is hitting 100% and staying there, or perhaps the attack is causing a seg fault in apache and crashing the instance.

    What is a way to determine who is the "target" of the attack with out actually sorting through packet captures.

    Does using piped logs in plesk assist or hinder finding the offending domain?

    ApacheTop has been mentioned, but since each domain uses its own log file it doesnt help much unless we know the domain under attack.

    Any usefull thoughts or suggestions on this problem? (yes I know buying ASL can assist) I am looking for something free and open source preferably, but pay for solutions are not ruled out if they perform and are low cost with no recurring licensing.
     
  2. philjohn

    philjohn Guest

    0
     
    IIRC, you can use wildcards when specifying the logfile for apachetop to use, e.g.

    atop /var/www/vhosts/*/statistics/logs/access_log
     
  3. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    I am using apachetop-0.12.6 and it doesnt seem to work using the wildcard.

    using command
    Code:
    /root/apachetop-0.12.6/src/apachetop -f /var/www/vhosts/*/statistics/logs/access_log
    
    Am I using the wrong version?
     
  4. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Check out snort, www.snort.org. This has signatures for detecting denial of service, and other protocol level DoS attacks against apache.

    There are also rules built into ASL to do it, directly through mod_security.
     
  5. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    Snort is used to avoid an attack, and ASL is a commercial product and dont really cover my question completely - but I do appreciate the response, thank you.

    What can you do when the attack is occuring and has passed through your firewalls and security rules? For example some one is hitting a script on the server that is coded poorly and causing the memory or process to spike/crash?

    How can you figure that out since it doesnt really "breach any rules" per se
     
  6. Linulex

    Linulex Regular Pleskian

    33
    80%
    Joined:
    Aug 4, 2001
    Messages:
    426
    Likes Received:
    61
    i have no idea how to find the domain of an ongoing attack, but we use some programmes to help prevent them from happening and when they do happen, they dont bring down the whole server.

    - test the websites with nessus http://www.nessus.org/nessus/ this wont solve all the problems, but one less is one less. You can even make money with it if you sell the service as a monthly security checkup or something like that.

    - be VERY rigid when disabling php safe mode.

    - mod_security is your friend

    - we use modcband http://cband.linux.pl/ to prevent a site under attack bringing down a complete server. when a server gets slower its easy to look up in the apache server status page then who gets the most connections.

    hope this helps a bit
    Jan
     
  7. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    Nessus is nice to test the overall server, but you cant use it to test every vhost on your server daily with each subdomain and sub folder, that would be unrealistic.

    mod_sec is nice, but the default rule set from breach is bloated and inefficient, and blocks a lot of legitimate traffic from joomla, phpbb, and most other applications out there. Having to fine tune each rule for each intended application is also some what unrealistic as that is incredibly time consuming. With that said its important to note that I do use it, but am not happy about it.

    if I read modcband correctly it is only limiting to the number of connections and bandwidth used per vhost (primarily) - that is nice, but doesnt really do anything that we need as we have intelligent inline devices and firewalls that prevent against dos/ddos/floods - our problem is preventing stupid users and bad coders from having their scripts hit withing an allowable threshold which due to that code mistake crashes apache or raises cpu/memory to a non allowable rate and having the ability to easily track down who the user/domain is.

    I appreciate your time and feedback as well as your input, but I dont see how it helps me in this particular scenario.
     
Loading...