Author Topic: Protection against Slowloris?  (Read 38114 times)

0 Members and 1 Guest are viewing this topic.

Offline
**
Re: Protection against Slowloris?
« Reply #15 on: July 16, 2018, 09:52:38 PM »
Wow
Thank you
You helped me to get rid of my mistake.

I did not have such a part that u sent me on this picture. Why I do not have it?
And when I have this error "-bash: apxs: command not found" what should I do?


Thanks
I love CWP

Offline
**
Re: Protection against Slowloris?
« Reply #16 on: July 16, 2018, 09:58:36 PM »
Apache is on now but I get

Error 503 Backend fetch failed

Backend fetch failed
Guru Meditation:

XID: 32783

Varnish cache server


on my site yet.

Do I need to do sth more?

for example do I need to use "Rebuild Virtual Hosts" ?

Thanks
I love CWP

Offline
***
Re: Protection against Slowloris?
« Reply #17 on: July 16, 2018, 10:00:29 PM »
Well I cant tell why that is not showing to your panel. Best would be if you ask the creators.

For apxs issue it is compiled with apache. You can symlink to recognize it

ln -s /usr/local/apache/bin/apxs /usr/sbin/apxs

Now run apxs and it will work as you need.

http://send.bullten.net/download/92e90c5ba91f598515c103b894b1a9e7.html

Offline
***
Re: Protection against Slowloris?
« Reply #18 on: July 16, 2018, 10:01:02 PM »
Easy solution would be rebuilding web server again.

Offline
**
Re: Protection against Slowloris?
« Reply #19 on: July 16, 2018, 10:31:49 PM »
It was a real nightmare without your help.
God bless you
It became a good class for beginners too  ;D
I love CWP

Offline
**
Re: Protection against Slowloris?
« Reply #20 on: July 16, 2018, 10:44:30 PM »
I love CWP

Offline
***
Re: Protection against Slowloris?
« Reply #21 on: July 16, 2018, 10:52:03 PM »
The version you have download is outdated and supports only apache 2.0.

You can download the version below and try

https://us.apachehaus.com/downloads/mod_antiloris-0.6.0-2.4.x-vc14-x64.zip

Offline
**
Re: Protection against Slowloris?
« Reply #22 on: July 16, 2018, 11:03:58 PM »
Thanks
I did but as it seems the sape problem.

http://send.bullten.net/download/2ca5a36bf2cd6060838c55dfcf1de865.html

How can I solve it and after that how can I enable it in httpd.conf  ?


I know I have to ass a line like: "# SlowlorisModule bla bla bla" but not know ecaxtly.  :)

Thanks
I love CWP

Offline
***
Re: Protection against Slowloris?
« Reply #23 on: July 16, 2018, 11:20:35 PM »
Well I would not use this modules as its totally outdated. But still you can do this.

Code: [Select]
wget https://gist.githubusercontent.com/NewEraCracker/e545f0dcf64ba816d49b/raw/07f1cb77545435a6af8d6be30d2a42488b7e589c/mod_antiloris.c
apxs -a -i -c mod_antiloris.c
service httpd restart

check if module is loaded.
Code: [Select]
/usr/local/apache/bin/httpd -M | grep antiloris
Between as per above screenshot you are using varnish so you are already protected against slowlrois attack then why are you using mod_antiloris for that :)
« Last Edit: July 16, 2018, 11:23:33 PM by bullten »

Offline
**
Re: Protection against Slowloris?
« Reply #24 on: July 17, 2018, 12:02:47 AM »


Not it says:

"AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using srv.mysite.com. Set the 'ServerName' directive globally to suppress this message
[root@srv mod_antiloris-0.4]# ^C"

I am under DDOs with Varnish and got database error and load average between 6 to 48 every one hour.

About 48 hours I am using the Cloudflare too it is showing that they are stopping so many attacks (1,686 ones in about 48 hours)  on my site, I did not get database error but get load average email with load average between 10 to 20 every one hour exactly.

I guess my Varnish is not in front of the webserver and have to change the ports.

I asked a dude he told me to install this module and send him some logs to help me.

I do not know what to do now.
Does the Varnish can mitigate the attacks without Cloudflare too if I config it? How I have to do that?

I have these attackes about 6 monthes and have changed 3 host provider too. One of the, asked me to leave them.

Mu Mysql process says this information too

Threads: 10  Questions: 163636  Slow queries: 0  Opens: 4546  Flush tables: 1  Open tables: 200  Queries per second avg: 30.400

I do not know is it a sign for slow loris or no.


Thanks

I love CWP

Offline
***
Re: Protection against Slowloris?
« Reply #25 on: July 17, 2018, 06:42:56 AM »
Well upon checking server logs one will know what exactly it is. It would be hard to tell you anything on this without actual logs.
Between what is output of this command when load is high

netstat -an | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

How many sites you host on a server?

What is output of htop?

yum install epel-release
yum install htop

htop

Did you try ovh? iT provides ddos protection for layer3/4. Best would be to choose a ssd server
https://www.ovh.com/world/

There are so many things to see ta the time of ddos.


Offline
**
Re: Protection against Slowloris?
« Reply #26 on: July 17, 2018, 08:27:23 AM »
 I am on OVH.
I have two do,ains on it . One of them is not active the other one has 10 subdomains with different Mysqls.

When I use the command I get some connections (14 in this picture) that do not hve any IP in front of it.

http://send.bullten.net/download/3585152de42b1a182a3587cd63c9fe19.html


This is htop result:

 http://send.bullten.net/delete/15bb3ffac2e61a00153c9b198debee24.html


Top of CWP

http://send.bullten.net/download/57fb1e7625250d9e1fc08dfdf2d55714.html


If I change the port of my Varnish to 80 can be useful? How can I do that?
Do I send other logs?

I am really thankful and sorry to disturbed you.
I love CWP

Offline
***
Re: Protection against Slowloris?
« Reply #27 on: July 17, 2018, 10:46:44 AM »
Hello,

What is the output of command as below.

Code: [Select]
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
Also this command

Code: [Select]
yum install iotop -y
iotop

Also this command

Code: [Select]
iostat
Also this command

Code: [Select]
tail -f /usr/local/apache/logs/error_log
Also this comamnd

Code: [Select]
tail -f /var/log/dmesg
Also this command

Code: [Select]
tail -f /var/log/messages
Also this command

Code: [Select]
cat /proc/cpuinfo | grep processor | wc -l

Offline
**
Re: Protection against Slowloris?
« Reply #28 on: July 17, 2018, 01:49:39 PM »

*
Code: [Select]
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
20

I usually use
Code: [Select]
netstat -nt | grep :80 | wc -l

it is usually more than 10 at least but most of the time goes to 100 too. Some days it was a small number less than 1 or 0.

 
Code: [Select]
itop *itop as it seems has error

http://send.bullten.net/download/f56a8ff569338a992ffc5f02d73c4472.html


Code: [Select]
iostat
http://send.bullten.net/filesgroup/7359a5f7b19f49c8009170c7d6de6e64.html


With the above code I tested the
Code: [Select]
[code]netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
another time it shows 0

Another time  iostat  with 58. 77. 78,

http://send.bullten.net/download/3c6abb3789471247c1d3304d74267e2a.html

http://send.bullten.net/download/90c2c4a0761096db897ab5499316eee0.html



Code: [Select]
tail -f /usr/local/apache/logs/error_loghttp://send.bullten.net/download/64ab037352350fcd13f5314003bf6ba5.html


Code: [Select]
tail -f /var/log/dmesg

[root@srv ~]# tail -f /var/log/dmesg
tail: cannot open '/var/log/dmesg' for reading: No such file or directory
tail: no files remaining
 

Code: [Select]
tail -f /var/log/messages

[root@srv ~]# tail -f /var/log/messages

[root@srv ~]# tail -f /var/log/messages
Jul 17 18:16:07 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:16:07 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:16:26 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:16:26 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:16:26 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:16:26 srv systemd: clamd-scan.service failed.
Jul 17 18:16:26 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:16:26 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:16:26 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:16:26 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:16:45 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:16:46 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:16:46 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:16:46 srv systemd: clamd-scan.service failed.
Jul 17 18:16:46 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:16:46 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:16:46 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:16:46 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:17:01 srv systemd: Started Session c1147 of user root.
Jul 17 18:17:01 srv systemd: Starting Session c1147 of user root.
Jul 17 18:17:05 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:17:05 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:17:05 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:17:05 srv systemd: clamd-scan.service failed.
Jul 17 18:17:05 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:17:05 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:17:05 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:17:05 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:17:24 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:17:24 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:17:24 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:17:24 srv systemd: clamd-scan.service failed.
Jul 17 18:17:24 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:17:24 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:17:24 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:17:24 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:17:41 srv systemd: Started Session 304387 of user root.
Jul 17 18:17:41 srv systemd-logind: New session 304387 of user root.
Jul 17 18:17:41 srv systemd: Starting Session 304387 of user root.
Jul 17 18:17:48 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:17:48 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:17:48 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:17:48 srv systemd: clamd-scan.service failed.
Jul 17 18:17:49 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:17:49 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:17:49 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:17:49 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:18:01 srv systemd: Started Session c1148 of user root.
Jul 17 18:18:01 srv systemd: Starting Session c1148 of user root.
Jul 17 18:18:11 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:18:11 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:18:11 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:18:11 srv systemd: clamd-scan.service failed.
Jul 17 18:18:11 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:18:11 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:18:11 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:18:11 srv systemd: Starting Generic clamav scanner daemon...


Code: [Select]
cat /proc/cpuinfo | grep processor | wc -l
1


NO this code
Code: [Select]
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -lis 16

Thanks

I love CWP

Offline
***
Re: Protection against Slowloris?
« Reply #29 on: July 17, 2018, 04:08:10 PM »
This is not a ddos attack. You should upgrade cpu core and ram for it.