Preventing DoS attack?

[Jamai]

Although not really Plesk-related, I'm still asking this because a lot of people here have a lot of technical knowledge.

I just had a few DoS-attacks today and got a program called "Webclaw 4r" that is causing it. This program is able to take my complete server offline with just one person using it. It just requests like 100 pages per second, and so it clogs the apache server so much that it gets slow and eventually gets down after a few seconds.

Does anyone know of a good way of stopping this?

I've tried mod_dosevasive and it does block me after a tenth of a second (if I open a page afterwards I receive a 403) but still, it clogs up my server completely.

 

[NightStorm]

Have you tried running mod_dosevasive alongside a firewall, or just letting it serve the 403 errors for X seconds?
There is an option that instead of just blocking for a few seconds, it instead executes a given command. I suggest you add your own IP to the whitelist (to prevent it hitting you), and setting dos_evasive to firewallban the attacking IP instead of just blocking it.
Done properly (like, as an example, /sbin/iptables -A INPUT -s %s -p tcp -m tcp --dport 80 -j DROP), it will completely shut out the person, and your server will survive the attack.
Make sure you don't set dosevasive too low with this though, or you'll find it's blocking legitimate queries as well. Also use the email feature so you know both when an attack is happening, and when a good guy is innocently blocked out.
Another option, one that worked great for me, was scrutinizer. I don't have the link on me right now, but you should be able to track it down on google. Documentation is scarce, but if you are determined enough, you'll get it.

 

[jamesyeeoc]

Why ban the IP from just port 80? Why not just drop the IP from all ports? That's what I do.

 

[Jamai]

I do receive the mails, and often I add the address to Plesk's firewall. Is it possible to add to this firewall from the commandline? I assume it is, but I also assume this isn't standard iptables stuff.

I'll look into scrutinizer too, thanks for the info, really appreciate it!

 

[NightStorm]

A good question jamesyeeoc... and under normal circumstances, I would simply block the IP on all ports.
Except that my server runs more than just httpd, and dosevasive has been known on several occasions to list an innocent user. If they were blocked on all ports, this user (sometimes a customer of mine paying money for service) would lose access to Plesk, to their website, to mail, to our Helpdesk, to our support jabberd service, and to our support IRC Server. They would have to fall back on a secondary email account such as hotmail or yahoo in order to contact me, and they would have to hope that I am actually at my computer watching for messages from them.
WIth the setup I have now, they are blocked on Port 80... from there, they can chose to contact me through JabberIM, or through the Plesk Helpdesk (which goes to all the server administration), or through our secondary helpdesk which sends a page to my mobil, or through the eggdrop in our support IRC server (which also sends a page to my mobil).
I felt that since dosevasive only monitors 'attacks' on port 80 anyway, I may as well focus on port 80 as the blocking point.

 

[Jamai]

I store my helpdesk-pages on a different system, so that is not a problem for me.

I have installed scrutinizer succesfully on my testsystem, very easy compiling and such, but I can not run the "viewer" (scc) to see the status due to Curses::UI not being installed. I tried installing it using perl -MCPAN -e shell; and then type install Curses::UI, and even install Curses, even tried to compile from source but it all gives me errors.
Any guidelines on this? It's a standard platform with Plesk 7.5.3 and Fedore Core 2

Also running gives problems:
cat /var/log/httpd/access_log | ./scrutinizer
Undefined subroutine &SM::Init::cleanup called at SM/Init.pm line 100.

 

[Jamai]

Well, after installing from RPM the Curses-stuff is working.

Only problem now is this:
Undefined subroutine &SM::Init::cleanup called at SM/Init.pm line 100.

 

[jamesyeeoc]

Nightstorm - I see your point though, and may reconsider my policy if it ever happens. My original reasoning was that if a client became infected with something and ended up flooding my server(s) with http, dns, ftp, etc requests, then it would keep the server protected and allow the client to get cleaned up.

Jamai - I had posted somewhere recently, that the Plesk firewall is a series of control scripts and database blobs which control the standard IPTABLES. Unfortunately, it over-rides anything you may manually put into the /etc/sysconfig/iptables file.

Personally, I chose to remove Plesk firewall control module and continue manually controlling the Iptables.

 

[Jamai]

I see.... I was already searching in MySQL, but indeed BLOBS.... not good to use, otherwise I'd be able to create my own scripting with it.

I was just so lucky about the Plesk Firewall module, because I don't have much experience with firewalls. But now I'm not so happy anymore.

I think I'll start using APF soon. THank you!

 

[demonicnewbie]

Hi there,

I've been trying to install scrutinizer and mod_dosevasive but I don't seem to have the command apxs2 on my server.

Is this not included with plesk? and what do I need to do to install it?

Any help would be much appreciated.

Thanks

 

[jamesyeeoc]

Do a 'locate apxs' I was able to install mod_dosevasive just the other day with no problems.

 

[Jamai]

It *is* included, but the default apxs is the wrong one, it is for the internal Apache of the Plesk control panel, not the apache you run with.

Type:
locate apxs
To find the wrong version.

You can type:
yum install httpd-devel
to install the correct one.

Type:
updatedb
So it includes the newly installed files.
Next type:
locate apxs

Now you should have (at least) 2 options, use the one it didn't find before.

 

[jamesyeeoc]

Yeah, I forgot I already had http-devel installed for some other thing. Sorry, been up for about 5 days straight now and is difficult to think. Love caffeine!!!

 

[demonicnewbie]

Thanks for that info, it compiled okay now.
The documentation is sparce and I have no idea if its working correctly or not or indeed how to set it up properly.

Do you know any documentation for scrutinizer and how to get it up and running the install doc wasn't that good..

Would u recommend I use mod_dosevasive instead???

Cheers

 

[Jamai]

Am having problems with scrutinizer myself too, but it looks promising. It doesn't seem to keep running though.

mod_dosevasive doesn't help much. I can take off my own servers with Webclaw 4r or any other DoS-program, just by using one connection...