Control Web Panel
WebPanel => How to => Topic started by: brijendrasial on May 08, 2015, 07:35:34 PM
-
What actually measures you all are taking to protect your server from slowloris attack?
-
for myself hosted with OVH which has ddos protection as standard but also on the server side use mod_antiloris.
1. Download the installer and install from Sourceforge.net:
$ cd /usr/local/src
$ wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2/download
$ tar -xvjf mod_antiloris-0.4.tar.bz2
$ cd mod_antiloris-*
$ apxs -a -i -c mod_antiloris.c
2. Restart Apache:
$ service httpd restart
-
What else hard solution you have bullten for slowloris protection in CWP?
-
I would just enable nginx to stop it.
-
But if we don't want to use NGINX? as CWP NGINX still have the Apache 2.2.15 Double apache installation bug when I have already Apache 2.4 with suPHP 0.7.2 installed in my CWP. Also would Apache + Varnish + NGINX + CloudFlare would be a good option to choose?
-
Just rebuild Apache with the CWP slowloris module
-
For begginers like myself may be useful:
for the address enter:
wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2
and if for [root@srv mod_antiloris-0.4]# apxs -a -i -c mod_antiloris.c
You get such an error:
-bash: apxs: command not found
You have to install the Apache dev tools by this command:
yum install httpd-devel
Then continue :)
-
apxs is located here : /usr/local/apache/bin/apxs
You dont have to install anything using yum for that.
Installing that using yum will break your apache as you will be bound to use another yum version of apache and will cause issue with your server.
-
It happend to me. :D
What should I do now?
-
When you login to cwp root there it will show to fix your apache as your are using different version of apache. Fix using that.
Or do
yum remove httpd httpd-devel
yum reinstall cwp-httpd
-
You mean from here?
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
I do not need to remove that (yum install httpd-devel) too?
I found this solution on other forum.
-
Did you try above what I wrote? Or you found different solution on another forum for that?
I didn't get what you mean
-
I did not find your solution.
When I go to the root of the CWP panel I do not see any fix for it.
Just there is a red light in front of the Apache and when I restart it it shoews such a thing:
"Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details."
-
Run the commands below.
yum remove httpd httpd-devel
yum reinstall cwp-httpd
-
Between I just replicated the same thing on one of my local server.
See the screenshot to know what I was pointing to.
http://send.bullten.net/download/3ccb94deb7f5093514bc452d032e26e5.html
-
Wow
Thank you
You helped me to get rid of my mistake.
I did not have such a part that u sent me on this picture. Why I do not have it?
And when I have this error "-bash: apxs: command not found" what should I do?
Thanks
-
Apache is on now but I get
Error 503 Backend fetch failed
Backend fetch failed
Guru Meditation:
XID: 32783
Varnish cache server
on my site yet.
Do I need to do sth more?
for example do I need to use "Rebuild Virtual Hosts" ?
Thanks
-
Well I cant tell why that is not showing to your panel. Best would be if you ask the creators.
For apxs issue it is compiled with apache. You can symlink to recognize it
ln -s /usr/local/apache/bin/apxs /usr/sbin/apxs
Now run apxs and it will work as you need.
http://send.bullten.net/download/92e90c5ba91f598515c103b894b1a9e7.html
-
Easy solution would be rebuilding web server again.
-
It was a real nightmare without your help.
God bless you
It became a good class for beginners too ;D
-
I get this error when I use apx:
http://send.bullten.net/download/1f0fae899c87f84a94d43acb28071d83.html
-
The version you have download is outdated and supports only apache 2.0.
You can download the version below and try
https://us.apachehaus.com/downloads/mod_antiloris-0.6.0-2.4.x-vc14-x64.zip
-
Thanks
I did but as it seems the sape problem.
http://send.bullten.net/download/2ca5a36bf2cd6060838c55dfcf1de865.html
How can I solve it and after that how can I enable it in httpd.conf ?
I know I have to ass a line like: "# SlowlorisModule bla bla bla" but not know ecaxtly. :)
Thanks
-
Well I would not use this modules as its totally outdated. But still you can do this.
wget https://gist.githubusercontent.com/NewEraCracker/e545f0dcf64ba816d49b/raw/07f1cb77545435a6af8d6be30d2a42488b7e589c/mod_antiloris.c
apxs -a -i -c mod_antiloris.c
service httpd restart
check if module is loaded.
/usr/local/apache/bin/httpd -M | grep antiloris
Between as per above screenshot you are using varnish so you are already protected against slowlrois attack then why are you using mod_antiloris for that :)
-
Not it says:
"AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using srv.mysite.com. Set the 'ServerName' directive globally to suppress this message
[root@srv mod_antiloris-0.4]# ^C"
I am under DDOs with Varnish and got database error and load average between 6 to 48 every one hour.
About 48 hours I am using the Cloudflare too it is showing that they are stopping so many attacks (1,686 ones in about 48 hours) on my site, I did not get database error but get load average email with load average between 10 to 20 every one hour exactly.
I guess my Varnish is not in front of the webserver and have to change the ports.
I asked a dude he told me to install this module and send him some logs to help me.
I do not know what to do now.
Does the Varnish can mitigate the attacks without Cloudflare too if I config it? How I have to do that?
I have these attackes about 6 monthes and have changed 3 host provider too. One of the, asked me to leave them.
Mu Mysql process says this information too
Threads: 10 Questions: 163636 Slow queries: 0 Opens: 4546 Flush tables: 1 Open tables: 200 Queries per second avg: 30.400
I do not know is it a sign for slow loris or no.
Thanks
-
Well upon checking server logs one will know what exactly it is. It would be hard to tell you anything on this without actual logs.
Between what is output of this command when load is high
netstat -an | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
How many sites you host on a server?
What is output of htop?
yum install epel-release
yum install htop
htop
Did you try ovh? iT provides ddos protection for layer3/4. Best would be to choose a ssd server
https://www.ovh.com/world/
There are so many things to see ta the time of ddos.
-
I am on OVH.
I have two do,ains on it . One of them is not active the other one has 10 subdomains with different Mysqls.
When I use the command I get some connections (14 in this picture) that do not hve any IP in front of it.
http://send.bullten.net/download/3585152de42b1a182a3587cd63c9fe19.html
This is htop result:
http://send.bullten.net/delete/15bb3ffac2e61a00153c9b198debee24.html
Top of CWP
http://send.bullten.net/download/57fb1e7625250d9e1fc08dfdf2d55714.html
If I change the port of my Varnish to 80 can be useful? How can I do that?
Do I send other logs?
I am really thankful and sorry to disturbed you.
-
Hello,
What is the output of command as below.
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
Also this command
yum install iotop -y
iotop
Also this command
iostat
Also this command
tail -f /usr/local/apache/logs/error_log
Also this comamnd
tail -f /var/log/dmesg
Also this command
tail -f /var/log/messages
Also this command
cat /proc/cpuinfo | grep processor | wc -l
-
*
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
20
I usually use
netstat -nt | grep :80 | wc -l
it is usually more than 10 at least but most of the time goes to 100 too. Some days it was a small number less than 1 or 0.
itop
*itop as it seems has error
http://send.bullten.net/download/f56a8ff569338a992ffc5f02d73c4472.html
iostat
http://send.bullten.net/filesgroup/7359a5f7b19f49c8009170c7d6de6e64.html
With the above code I tested the
[code]netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
another time it shows 0
Another time iostat with 58. 77. 78,
http://send.bullten.net/download/3c6abb3789471247c1d3304d74267e2a.html
http://send.bullten.net/download/90c2c4a0761096db897ab5499316eee0.html
tail -f /usr/local/apache/logs/error_log
http://send.bullten.net/download/64ab037352350fcd13f5314003bf6ba5.html
tail -f /var/log/dmesg
[root@srv ~]# tail -f /var/log/dmesg
tail: cannot open '/var/log/dmesg' for reading: No such file or directory
tail: no files remaining
tail -f /var/log/messages
[root@srv ~]# tail -f /var/log/messages
[root@srv ~]# tail -f /var/log/messages
Jul 17 18:16:07 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:16:07 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:16:26 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:16:26 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:16:26 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:16:26 srv systemd: clamd-scan.service failed.
Jul 17 18:16:26 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:16:26 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:16:26 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:16:26 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:16:45 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:16:46 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:16:46 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:16:46 srv systemd: clamd-scan.service failed.
Jul 17 18:16:46 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:16:46 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:16:46 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:16:46 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:17:01 srv systemd: Started Session c1147 of user root.
Jul 17 18:17:01 srv systemd: Starting Session c1147 of user root.
Jul 17 18:17:05 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:17:05 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:17:05 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:17:05 srv systemd: clamd-scan.service failed.
Jul 17 18:17:05 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:17:05 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:17:05 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:17:05 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:17:24 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:17:24 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:17:24 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:17:24 srv systemd: clamd-scan.service failed.
Jul 17 18:17:24 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:17:24 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:17:24 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:17:24 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:17:41 srv systemd: Started Session 304387 of user root.
Jul 17 18:17:41 srv systemd-logind: New session 304387 of user root.
Jul 17 18:17:41 srv systemd: Starting Session 304387 of user root.
Jul 17 18:17:48 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:17:48 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:17:48 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:17:48 srv systemd: clamd-scan.service failed.
Jul 17 18:17:49 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:17:49 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:17:49 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:17:49 srv systemd: Starting Generic clamav scanner daemon...
Jul 17 18:18:01 srv systemd: Started Session c1148 of user root.
Jul 17 18:18:01 srv systemd: Starting Session c1148 of user root.
Jul 17 18:18:11 srv clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.sock is in use by another process.
Jul 17 18:18:11 srv systemd: clamd-scan.service: main process exited, code=exited, status=1/FAILURE
Jul 17 18:18:11 srv systemd: Unit clamd-scan.service entered failed state.
Jul 17 18:18:11 srv systemd: clamd-scan.service failed.
Jul 17 18:18:11 srv systemd: clamd-scan.service holdoff time over, scheduling restart.
Jul 17 18:18:11 srv systemd: Failed to reset devices.list on /system.slice/clamd-scan.service: Operation not permitted
Jul 17 18:18:11 srv systemd: Started Generic clamav scanner daemon.
Jul 17 18:18:11 srv systemd: Starting Generic clamav scanner daemon...
cat /proc/cpuinfo | grep processor | wc -l
1
NO this code
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
is 16
Thanks
-
This is not a ddos attack. You should upgrade cpu core and ram for it.
-
I now recieved this too
lfd on srv.salamzaban.ir: High 5 minute load average alert - 18.09
Time: Tue Jul 17 20:23:36 2018 +0430
1 Min Load Avg: 9.23
5 Min Load Avg: 18.09
15 Min Load Avg: 14.37
Running/Total Processes: 10/5839
http://send.bullten.net/download/46cb26199025968f1f35105782168827.html
I receieve such a thing exactly each hour.
-
But it does not use any more cpu or ram.
My ram is 4 now but it uses less than 2.
I had such a problem with CPU 4 and Ram 8 too. I can set to more cpus for a while. OK
On Cloadflare it shows there are a lot of attaks too. is it normal?
I really thank you
-
load goes high as the resource gets exhasuted. On htop result shows 100% cpu is already used.
-
It may be ddos but the logs you provided doesnt throw light on that.