Control Web Panel

WebPanel => How to => Topic started by: brijendrasial on May 08, 2015, 07:35:34 PM

Title: Protection against Slowloris?
Post by: brijendrasial on May 08, 2015, 07:35:34 PM
What actually measures you all are taking to protect your server from slowloris attack?
Title: Re: Protection against Slowloris?
Post by: Parricull on August 14, 2015, 07:39:53 PM
for myself hosted with OVH which has ddos protection as standard but also on the server side use mod_antiloris.
Code: [Select]
1. Download the installer and install from Sourceforge.net:

$ cd /usr/local/src
$ wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2/download
$ tar -xvjf mod_antiloris-0.4.tar.bz2
$ cd mod_antiloris-*
$ apxs -a -i -c mod_antiloris.c

2. Restart Apache:

$ service httpd restart
Title: Re: Protection against Slowloris?
Post by: Farukh Khan on November 06, 2015, 10:59:30 AM
What else hard solution you have bullten for slowloris protection in CWP?
Title: Re: Protection against Slowloris?
Post by: brijendrasial on November 06, 2015, 03:32:20 PM
I would just enable nginx to stop it.
Title: Re: Protection against Slowloris?
Post by: Farukh Khan on November 06, 2015, 11:18:55 PM
But if we don't want to use NGINX? as CWP NGINX still have the Apache 2.2.15 Double apache installation bug when I have already Apache 2.4 with suPHP 0.7.2 installed in my CWP. Also would Apache + Varnish + NGINX + CloudFlare would be a good option to choose?
Title: Re: Protection against Slowloris?
Post by: Glenn on December 28, 2015, 12:16:13 PM
Just rebuild Apache with the CWP slowloris module
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 16, 2018, 09:05:41 PM
For begginers like myself may be useful:

for the address enter:
 wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2


and if for  [root@srv mod_antiloris-0.4]# apxs -a -i -c mod_antiloris.c

You get such an error:
-bash: apxs: command not found


You have to install the Apache dev tools by this command:

yum install httpd-devel

Then continue :) 

Title: Re: Protection against Slowloris?
Post by: bullten on July 16, 2018, 09:10:50 PM
apxs is located here : /usr/local/apache/bin/apxs

You dont have to install anything using yum for that.

Installing that using yum will break your apache as you will be bound to use another yum version of apache and will cause issue with your server.
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 16, 2018, 09:15:52 PM
It happend to me. :D

What should I do now?
Title: Re: Protection against Slowloris?
Post by: bullten on July 16, 2018, 09:18:43 PM
When you login to cwp root there it will show to fix your apache as your are using different version of apache. Fix using that.

Or do

yum remove httpd httpd-devel
yum reinstall cwp-httpd
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 16, 2018, 09:26:20 PM
You mean from here?

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.


I do not need to remove that (yum install httpd-devel) too?

I found this solution on other forum.

 
Title: Re: Protection against Slowloris?
Post by: bullten on July 16, 2018, 09:31:33 PM
Did you try above what I wrote? Or you found different solution on another forum for that?

I didn't get what you mean
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 16, 2018, 09:39:00 PM
I did not find your solution.
When I go to the root of the CWP panel I do not see  any fix for it.
Just there is a red light in front of the Apache and when I restart it it shoews such a thing:
 
"Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details."
Title: Re: Protection against Slowloris?
Post by: bullten on July 16, 2018, 09:40:24 PM
Run the commands below.

yum remove httpd httpd-devel
yum reinstall cwp-httpd
Title: Re: Protection against Slowloris?
Post by: bullten on July 16, 2018, 09:47:11 PM
Between I just replicated the same thing on one of my local server.

See the screenshot to know what I was pointing to.

http://send.bullten.net/download/3ccb94deb7f5093514bc452d032e26e5.html
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 16, 2018, 09:52:38 PM
Wow
Thank you
You helped me to get rid of my mistake.

I did not have such a part that u sent me on this picture. Why I do not have it?
And when I have this error "-bash: apxs: command not found" what should I do?


Thanks
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 16, 2018, 09:58:36 PM
Apache is on now but I get

Error 503 Backend fetch failed

Backend fetch failed
Guru Meditation:

XID: 32783

Varnish cache server


on my site yet.

Do I need to do sth more?

for example do I need to use "Rebuild Virtual Hosts" ?

Thanks
Title: Re: Protection against Slowloris?
Post by: bullten on July 16, 2018, 10:00:29 PM
Well I cant tell why that is not showing to your panel. Best would be if you ask the creators.

For apxs issue it is compiled with apache. You can symlink to recognize it

ln -s /usr/local/apache/bin/apxs /usr/sbin/apxs

Now run apxs and it will work as you need.

http://send.bullten.net/download/92e90c5ba91f598515c103b894b1a9e7.html
Title: Re: Protection against Slowloris?
Post by: bullten on July 16, 2018, 10:01:02 PM
Easy solution would be rebuilding web server again.
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 16, 2018, 10:31:49 PM
It was a real nightmare without your help.
God bless you
It became a good class for beginners too  ;D
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 16, 2018, 10:44:30 PM


I get this error when I use apx:

http://send.bullten.net/download/1f0fae899c87f84a94d43acb28071d83.html
Title: Re: Protection against Slowloris?
Post by: bullten on July 16, 2018, 10:52:03 PM
The version you have download is outdated and supports only apache 2.0.

You can download the version below and try

https://us.apachehaus.com/downloads/mod_antiloris-0.6.0-2.4.x-vc14-x64.zip
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 16, 2018, 11:03:58 PM
Thanks
I did but as it seems the sape problem.

http://send.bullten.net/download/2ca5a36bf2cd6060838c55dfcf1de865.html

How can I solve it and after that how can I enable it in httpd.conf  ?


I know I have to ass a line like: "# SlowlorisModule bla bla bla" but not know ecaxtly.  :)

Thanks
Title: Re: Protection against Slowloris?
Post by: bullten on July 16, 2018, 11:20:35 PM
Well I would not use this modules as its totally outdated. But still you can do this.

Code: [Select]
wget https://gist.githubusercontent.com/NewEraCracker/e545f0dcf64ba816d49b/raw/07f1cb77545435a6af8d6be30d2a42488b7e589c/mod_antiloris.c
apxs -a -i -c mod_antiloris.c
service httpd restart

check if module is loaded.
Code: [Select]
/usr/local/apache/bin/httpd -M | grep antiloris
Between as per above screenshot you are using varnish so you are already protected against slowlrois attack then why are you using mod_antiloris for that :)
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 17, 2018, 12:02:47 AM


Not it says:

"AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using srv.mysite.com. Set the 'ServerName' directive globally to suppress this message
[root@srv mod_antiloris-0.4]# ^C"

I am under DDOs with Varnish and got database error and load average between 6 to 48 every one hour.

About 48 hours I am using the Cloudflare too it is showing that they are stopping so many attacks (1,686 ones in about 48 hours)  on my site, I did not get database error but get load average email with load average between 10 to 20 every one hour exactly.

I guess my Varnish is not in front of the webserver and have to change the ports.

I asked a dude he told me to install this module and send him some logs to help me.

I do not know what to do now.
Does the Varnish can mitigate the attacks without Cloudflare too if I config it? How I have to do that?

I have these attackes about 6 monthes and have changed 3 host provider too. One of the, asked me to leave them.

Mu Mysql process says this information too

Threads: 10  Questions: 163636  Slow queries: 0  Opens: 4546  Flush tables: 1  Open tables: 200  Queries per second avg: 30.400

I do not know is it a sign for slow loris or no.


Thanks

Title: Re: Protection against Slowloris?
Post by: bullten on July 17, 2018, 06:42:56 AM
Well upon checking server logs one will know what exactly it is. It would be hard to tell you anything on this without actual logs.
Between what is output of this command when load is high

netstat -an | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

How many sites you host on a server?

What is output of htop?

yum install epel-release
yum install htop

htop

Did you try ovh? iT provides ddos protection for layer3/4. Best would be to choose a ssd server
https://www.ovh.com/world/

There are so many things to see ta the time of ddos.

Title: Re: Protection against Slowloris?
Post by: yeknafar on July 17, 2018, 08:27:23 AM
 I am on OVH.
I have two do,ains on it . One of them is not active the other one has 10 subdomains with different Mysqls.

When I use the command I get some connections (14 in this picture) that do not hve any IP in front of it.

http://send.bullten.net/download/3585152de42b1a182a3587cd63c9fe19.html


This is htop result:

 http://send.bullten.net/delete/15bb3ffac2e61a00153c9b198debee24.html


Top of CWP

http://send.bullten.net/download/57fb1e7625250d9e1fc08dfdf2d55714.html


If I change the port of my Varnish to 80 can be useful? How can I do that?
Do I send other logs?

I am really thankful and sorry to disturbed you.
Title: Re: Protection against Slowloris?
Post by: bullten on July 17, 2018, 10:46:44 AM
Hello,

What is the output of command as below.

Code: [Select]
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
Also this command

Code: [Select]
yum install iotop -y
iotop

Also this command

Code: [Select]
iostat
Also this command

Code: [Select]
tail -f /usr/local/apache/logs/error_log
Also this comamnd

Code: [Select]
tail -f /var/log/dmesg
Also this command

Code: [Select]
tail -f /var/log/messages
Also this command

Code: [Select]
cat /proc/cpuinfo | grep processor | wc -l
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 17, 2018, 01:49:39 PM

*
Code: [Select]
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
20

I usually use
Code: [Select]
netstat -nt | grep :80 | wc -l

it is usually more than 10 at least but most of the time goes to 100 too. Some days it was a small number less than 1 or 0.

 
Code: [Select]
itop *itop as it seems has error

http://send.bullten.net/download/f56a8ff569338a992ffc5f02d73c4472.html


Code: [Select]
iostat
http://send.bullten.net/filesgroup/7359a5f7b19f49c8009170c7d6de6e64.html


With the above code I tested the
Code: [Select]
[code]netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
another time it shows 0

Another time  iostat  with 58. 77. 78,

http://send.bullten.net/download/3c6abb3789471247c1d3304d74267e2a.html

http://send.bullten.net/download/90c2c4a0761096db897ab5499316eee0.html



Code: [Select]
tail -f /usr/local/apache/logs/error_loghttp://send.bullten.net/download/64ab037352350fcd13f5314003bf6ba5.html


Code: [Select]
tail -f /var/log/dmesg

[root@srv ~]# tail -f /var/log/dmesg
tail: cannot open '/var/log/dmesg' for reading: No such file or directory
tail: no files remaining
 

Code: [Select]
tail -f /var/log/messages

[root@srv ~]# tail -f /var/log/messages

[root@srv ~]# tail -f /var/log/messages
Jul 17 18:16:07 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:16:07 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:16:26 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:16:26 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:16:26 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:16:26 srv systemd: clamd-scan.service failed.
Jul 17 18:16:26 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:16:26 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:16:26 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:16:26 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:16:45 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:16:46 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:16:46 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:16:46 srv systemd: clamd-scan.service failed.
Jul 17 18:16:46 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:16:46 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:16:46 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:16:46 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:17:01 srv systemd: Started Session c1147 of user root.
Jul 17 18:17:01 srv systemd: Starting Session c1147 of user root.
Jul 17 18:17:05 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:17:05 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:17:05 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:17:05 srv systemd: clamd-scan.service failed.
Jul 17 18:17:05 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:17:05 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:17:05 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:17:05 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:17:24 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:17:24 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:17:24 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:17:24 srv systemd: clamd-scan.service failed.
Jul 17 18:17:24 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:17:24 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:17:24 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:17:24 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:17:41 srv systemd: Started Session 304387 of user root.
Jul 17 18:17:41 srv systemd-logind: New session 304387 of user root.
Jul 17 18:17:41 srv systemd: Starting Session 304387 of user root.
Jul 17 18:17:48 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:17:48 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:17:48 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:17:48 srv systemd: clamd-scan.service failed.
Jul 17 18:17:49 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:17:49 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:17:49 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:17:49 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:18:01 srv systemd: Started Session c1148 of user root.
Jul 17 18:18:01 srv systemd: Starting Session c1148 of user root.
Jul 17 18:18:11 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:18:11 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:18:11 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:18:11 srv systemd: clamd-scan.service failed.
Jul 17 18:18:11 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:18:11 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:18:11 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:18:11 srv systemd: Starting Generic clamav scanner daemon...


Code: [Select]
cat /proc/cpuinfo | grep processor | wc -l
1


NO this code
Code: [Select]
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -lis 16

Thanks

Title: Re: Protection against Slowloris?
Post by: bullten on July 17, 2018, 04:08:10 PM
This is not a ddos attack. You should upgrade cpu core and ram for it.
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 17, 2018, 04:11:51 PM
I now recieved this too


 lfd on srv.salamzaban.ir: High 5 minute load average alert - 18.09
Time:                    Tue Jul 17 20:23:36 2018 +0430
1 Min Load Avg:          9.23
5 Min Load Avg:          18.09
15 Min Load Avg:         14.37
Running/Total Processes: 10/5839


http://send.bullten.net/download/46cb26199025968f1f35105782168827.html

I receieve such a thing exactly each hour.
Title: Re: Protection against Slowloris?
Post by: yeknafar on July 17, 2018, 04:15:25 PM
But it does not use any more cpu or ram.

My ram is 4 now but it uses less than 2.

I had such a problem with CPU 4 and Ram 8 too. I can set to more cpus for a while. OK

On Cloadflare it shows there are a lot of attaks too. is it normal?

I really thank you
Title: Re: Protection against Slowloris?
Post by: bullten on July 17, 2018, 04:22:13 PM
load goes high as the resource gets exhasuted. On htop result shows 100% cpu is already used.
Title: Re: Protection against Slowloris?
Post by: bullten on July 17, 2018, 04:34:30 PM
It may be ddos but the logs you provided doesnt throw light on that.