problem with webservers

[WaReZ]

Hello

i have a VPS with 512 MB RAM and was hosting my site on it from 3 months and it was working fine ..... these thing was installed on VPS

kloxo
httpd
php
mysql

but 3 days ago it suddenly stopped working so i check VPS and found that httpd was stopped .... i started it again and was shocked to see that more than 350 processes of httpd was running and free RAM was 0KB and again it crashed (stopped).

Then i tried lighttpd but same with it hundreds of process eaten up all the RAM then crash

normally when it was working the process was around 35-40 MAX

can anyone have some suggestions about it?

is it ddos? if yes ... any way to prevent vps from it?

WaReZ Reviewed by WaReZ on 19th Sep 2010. problem with webservers Hello i have a VPS with 512 MB RAM and was hosting my site on it from 3 months and it was working fine ..... these thing was installed on VPS kloxo httpd php mysql but 3 days ago it suddenly stopped working so i check VPS and found that httpd was stopped .... i started it again and was shocked to see that more than 350 processes of httpd was running and free RAM was 0KB and again it crashed (stopped). Rating: 5

[Lock Down]

These are few steps to be taken when you feel that the server is under attack:
--------------------------------------------------------------------------------
-
Step 1: Check the load using the command "w".

Step 2: Check which service is utilizing maximum CPU by "nice top".

Step 3: Check which IP address is taking maximum connection using the command:

netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n
netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c

Step 4: Check the IP address of the server having maximum connection using the
command:

netstat -alpn | grep :80 | awk '{print $4}' | cut -d: -f1 |sort |uniq -c

Step 5: Then block the IP address using APF firewall "apf -d <IP address>" or
using CSF firewall "csf -d <IP address>
--------------------------------------------------------------------------------
-

In future, to avoid DDoS attack or to lower its intensity you can install the
following modules.

============
*Mod_security: Since DDoS often targets HTTP (port 80), it is a good idea to
have a filtering system for Apache. 'Mod_security' will analyze requests before
passing them to the web server.

*Mod_dosevasive: This is an Apache module which performs 'evasive' action in the
event of an HTTP DDoS attack or brute force attack.

*(D)DoS Deflate: This is a shell script which assists in combating denial of
service attacks.
============

Please go through the following URLs for more information on how to install
"mod_security", "mod_evasive" and "dos_deflate" on your server:

-------------------
http://prasadnaik15.wordpress.com/ho...t-ddos-attack/
-------------------
http://www.eth0.us/mod_evasive
-------------------
http://forum.whmdestek.com/security/...tallation.html
-------------------

You can also enable Sysctl protection against DDoS. Please go through the
following URL for more information in this regard:

----------
http://forums.softlayer.com/showthread.php?t=304 [use your portal
username/password to login]

As mentioned by others, having some connections in TIME_WAIT is a normal part of the TCP connection. You can see the interval by examining /proc/sys/net/ipv4/tcp_fin_timeout:
[root@host ~]# cat /proc/sys/net/ipv4/tcp_fin_timeout
60

And change it by modifying that value:
[root@dev admin]# echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

Or permanently by adding it to /etc/sysctl.conf
net.ipv4.tcp_fin_timeout=30

Also, if you don't use the RPC service or NFS, you can just turn it off:
/etc/init.d/nfsd stop

And turn it off completely
chkconfig nfsd off

[WaReZ]

i installed all three of them but nothing working

some of the connected IPs...

Code: 

      1 66.249.65.142
      1 67.23.25.18
      1 72.254.128.201
      1 77.78.3.47
      1 80.64.167.50
      1 80.77.145.147
      1 88.146.218.4
      1 89.28.17.58
      1 91.215.218.88
      2 109.250.137.189
      2 110.136.204.63
      2 111.160.70.142
      2 115.69.217.106
      2 116.255.24.45
      2 118.68.249.158
      2 123.19.121.88
      2 124.160.27.162
      2 125.167.217.10
      2 140.174.90.103
      2 173.180.53.66
      2 173.77.181.190
      2 174.142.104.57
      2 187.49.174.245
      2 190.14.232.155
      2 190.152.13.58
      2 190.31.56.43
      2 195.235.161.28
      2 195.39.172.135
      2 195.82.157.220
      2 196.200.20.58
      2 196.202.4.108
      2 196.202.55.2
      2 199.245.188.60
      2 200.123.148.35
      2 200.195.38.98
      2 200.35.36.70
      2 200.35.41.175
      2 200.46.3.131
      2 201.72.179.130
      2 202.43.180.146
      2 203.171.237.170
      2 206.131.230.6
      2 208.110.86.184
      2 208.89.194.21
      2 211.69.130.11
      2 221.122.60.237
      2 221.214.27.252
      2 221.214.27.253
      2 222.124.129.44
      2 222.124.9.62
      2 24.188.144.175
      2 41.190.16.17
      2 41.73.2.34
      2 61.244.235.34
      2 62.209.202.19
      2 70.84.166.4
      2 70.86.166.34
      2 72.9.156.240
      2 80.233.225.180
      2 81.186.225.254
      2 89.232.63.173
      2 92.118.181.151
      2 93.99.206.1
      3 110.136.190.105
      3 110.136.205.175
      3 113.161.76.224
      3 118.70.124.90
      3 118.96.150.88
      3 119.147.113.116
      3 125.245.183.2
      3 147.91.1.41
      3 173.3.113.59
      3 190.37.127.117
      3 190.8.111.59
      3 193.206.38.100
      3 195.168.109.60
      3 200.117.239.246
      3 200.143.99.17
      3 200.242.107.75
      3 202.182.189.107
      3 203.212.0.114
      3 208.180.65.242
      3 210.5.71.130
      3 211.138.124.202
      3 212.34.41.93
      3 213.0.89.9
      3 216.147.142.30
      3 218.248.45.51
      3 219.93.178.162
      3 221.130.23.84
      3 222.124.132.146
      3 58.211.218.74
      3 60.21.136.22
      3 61.181.246.205
      3 74.55.28.10
      3 80.92.183.225
      3 84.36.44.37
      3 86.110.19.114
      3 88.98.28.60
      3 91.103.91.33
      3 99.29.128.32
      4 110.139.149.154
      4 111.160.68.19
      4 114.255.160.60
      4 118.96.24.227
      4 118.96.26.61
      4 120.151.0.65
      4 187.16.249.131
      4 189.17.16.130
      4 190.128.224.82
      4 190.34.168.183
      4 200.101.82.4
      4 200.144.17.222
      4 200.169.67.194
      4 201.6.145.72
      4 201.88.254.7
      4 202.169.241.98
      4 202.51.107.37
      4 202.57.6.92
      4 202.72.206.241
      4 212.45.5.172
      4 217.24.250.238
      4 218.204.29.110
      4 218.248.4.82
      4 221.192.233.83
      4 222.124.166.11
      4 222.165.130.214
      4 41.234.206.179
      4 65.167.88.50
      4 76.122.41.201
      4 77.104.192.100
      4 93.157.3.108
      5 118.70.128.217
      5 118.96.145.244
      5 118.98.168.122
      5 183.91.87.16
      5 189.33.109.8
      5 189.45.31.118
      5 189.8.52.186
      5 190.90.128.233
      5 193.255.184.210
      5 195.24.202.30
      5 200.143.88.4
      5 200.146.37.82
      5 200.175.235.164
      5 202.162.212.29
      5 210.83.222.27
      5 221.130.23.121
      5 222.134.65.102
      5 222.169.11.234
      5 222.74.34.190
      5 58.150.182.76
      5 61.213.158.124
      5 67.159.37.44
      5 75.97.250.165
      5 88.247.84.138
      5 94.143.43.85
      6 118.97.224.2
      6 118.97.234.253
      6 119.252.172.138
      6 121.12.249.207
      6 122.183.210.200
      6 200.17.56.7
      6 200.201.187.250
      6 200.21.15.109
      6 201.64.156.82
      6 201.76.211.246
      6 202.107.196.2
      6 202.143.129.201
      6 202.69.102.146
      6 220.165.15.205
      6 222.124.8.13
      6 222.161.3.133
      6 222.161.3.146
      6 41.208.14.4
      6 61.158.167.84
      6 79.142.55.199
      6 86.111.88.52
      6 98.194.60.1
      7 119.62.128.38
      7 190.95.199.211
      7 200.195.132.82
      7 200.48.250.97
      7 200.96.190.90
      7 201.57.234.129
      7 202.149.67.82
      7 213.134.176.50
      7 213.217.58.33
      7 217.24.250.235
      7 221.130.23.153
      7 221.179.35.87
      7 222.124.178.98
      7 222.161.137.199
      7 222.162.105.110
      7 58.56.108.114
      7 98.248.194.100
      8 111.11.192.250
      8 118.97.67.134
      8 187.4.128.12
      8 189.17.177.120
      8 201.18.5.90
      8 218.249.94.34
      8 222.77.14.54
      8 24.209.39.32
      8 80.92.183.202
      8 82.116.255.85
      9 111.160.70.195
      9 125.161.169.65
      9 195.39.172.134
      9 201.45.216.117
      9 222.161.137.205
     10 121.10.120.214
     10 211.69.130.14
     10 217.12.212.228
     10 61.7.142.159
     10 98.231.97.190
     11 119.110.81.125
     11 210.240.11.35
     11 213.0.89.5
     11 222.89.92.106
     12 111.160.70.232
     12 122.180.8.100
     12 174.59.36.2
     12 222.88.42.46
     13 121.30.255.38
     13 200.43.192.163
     14 203.172.244.18
     14 222.47.26.12
     15 210.210.35.11
     16 202.108.5.35
     17 125.235.241.132
     18 187.6.85.3
     19 88.191.80.66
     21 221.130.17.45
     22 202.108.3.204
     27 123.125.156.142
     30 123.125.156.137
     73 202.108.50.76
     76 123.125.156.204

it is making server load 100% and using all RAM

any other suggestion...

[somik]

That looks more like a ddos attack to me...

Look around in the tutorial forum for a anti ddos script. Install it and let it handle with the attacks.

[WaReZ]

they are just some of the IPs the last time before server crash the total connections was 1256

and i already installed CSF firewall, Mod_security, Mod_dosevasive, (D)DoS Deflate (30 connections max), litespeed webserver (free edition) but no good result

can you suggest me some good anti ddos scripts

[Lock Down]

What os are you running?
Looks like you have 2 ip using 70+ . Some setting must be wrong. They are hackers from china. I was always being hit by them trying to get in.

use this to block them:

iptables -I INPUT -m iprange --src-range 202.0.0.0-202.255.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 123.0.0.0-123.255.255.255 -j DROP

try using iptables to stop more than 4 per ip. I don't know why you would allow more than that anyway.

iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 4 -j REJECT --reject-with tcp-reset

1.2.3.4 should be changed to your ip address.

This will last only till system reboots. You can use service iptables save to save the new setting.

[freecbc3]

can u check memory available ??


"free -m"

[WaReZ]

i just found that ipt_recent is not enable on my VPS and i have requested my VPS provider to enable it for me and waiting for there responce

I am running centos 5.5

@freecbc3 cannot allocate memory

[WaReZ]

What os are you running?
Looks like you have 2 ip using 70+ . Some setting must be wrong. They are hackers from china. I was always being hit by them trying to get in.

use this to block them:


try using iptables to stop more than 4 per ip. I don't know why you would allow more than that anyway.



1.2.3.4 should be changed to your ip address.

This will last only till system reboots. You can use service iptables save to save the new setting.

Expand

ipt_recent is now enabled but whenever i am trying to run any of these commands i am getting this error

iptables: Unknown error 4294967295

[Lock Down]

try this command see what it does

iptables -L