Results 1 to 10 of 14
-
19th Sep 2010, 08:36 PM #1OPBannedWebsite's:
TehHost.netproblem with webservers
Hello
i have a VPS with 512 MB RAM and was hosting my site on it from 3 months and it was working fine ..... these thing was installed on VPS
kloxo
httpd
php
mysql
but 3 days ago it suddenly stopped working so i check VPS and found that httpd was stopped .... i started it again and was shocked to see that more than 350 processes of httpd was running and free RAM was 0KB and again it crashed (stopped).
Then i tried lighttpd but same with it hundreds of process eaten up all the RAM then crash
normally when it was working the process was around 35-40 MAX
can anyone have some suggestions about it?
is it ddos? if yes ... any way to prevent vps from it?WaReZ Reviewed by WaReZ on . problem with webservers Hello i have a VPS with 512 MB RAM and was hosting my site on it from 3 months and it was working fine ..... these thing was installed on VPS kloxo httpd php mysql but 3 days ago it suddenly stopped working so i check VPS and found that httpd was stopped .... i started it again and was shocked to see that more than 350 processes of httpd was running and free RAM was 0KB and again it crashed (stopped). Rating: 5
-
19th Sep 2010, 08:41 PM #2Respected Member
These are few steps to be taken when you feel that the server is under attack:
--------------------------------------------------------------------------------
-
Step 1: Check the load using the command "w".
Step 2: Check which service is utilizing maximum CPU by "nice top".
Step 3: Check which IP address is taking maximum connection using the command:
netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n
netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c
Step 4: Check the IP address of the server having maximum connection using the
command:
netstat -alpn | grep :80 | awk '{print $4}' | cut -d: -f1 |sort |uniq -c
Step 5: Then block the IP address using APF firewall "apf -d <IP address>" or
using CSF firewall "csf -d <IP address>
--------------------------------------------------------------------------------
-
In future, to avoid DDoS attack or to lower its intensity you can install the
following modules.
============
*Mod_security: Since DDoS often targets HTTP (port 80), it is a good idea to
have a filtering system for Apache. 'Mod_security' will analyze requests before
passing them to the web server.
*Mod_dosevasive: This is an Apache module which performs 'evasive' action in the
event of an HTTP DDoS attack or brute force attack.
*(D)DoS Deflate: This is a shell script which assists in combating denial of
service attacks.
============
Please go through the following URLs for more information on how to install
"mod_security", "mod_evasive" and "dos_deflate" on your server:
-------------------
http://prasadnaik15.wordpress.com/ho...t-ddos-attack/
-------------------
http://www.eth0.us/mod_evasive
-------------------
http://forum.whmdestek.com/security/...tallation.html
-------------------
You can also enable Sysctl protection against DDoS. Please go through the
following URL for more information in this regard:
----------
http://forums.softlayer.com/showthread.php?t=304 [use your portal
username/password to login]
As mentioned by others, having some connections in TIME_WAIT is a normal part of the TCP connection. You can see the interval by examining /proc/sys/net/ipv4/tcp_fin_timeout:
[root@host ~]# cat /proc/sys/net/ipv4/tcp_fin_timeout
60
And change it by modifying that value:
[root@dev admin]# echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
Or permanently by adding it to /etc/sysctl.conf
net.ipv4.tcp_fin_timeout=30
Also, if you don't use the RPC service or NFS, you can just turn it off:
/etc/init.d/nfsd stop
And turn it off completely
chkconfig nfsd off
-
25th Sep 2010, 07:53 PM #3OPBannedWebsite's:
TehHost.neti installed all three of them but nothing working
some of the connected IPs...
Code:1 66.249.65.142 1 67.23.25.18 1 72.254.128.201 1 77.78.3.47 1 80.64.167.50 1 80.77.145.147 1 88.146.218.4 1 89.28.17.58 1 91.215.218.88 2 109.250.137.189 2 110.136.204.63 2 111.160.70.142 2 115.69.217.106 2 116.255.24.45 2 118.68.249.158 2 123.19.121.88 2 124.160.27.162 2 125.167.217.10 2 140.174.90.103 2 173.180.53.66 2 173.77.181.190 2 174.142.104.57 2 187.49.174.245 2 190.14.232.155 2 190.152.13.58 2 190.31.56.43 2 195.235.161.28 2 195.39.172.135 2 195.82.157.220 2 196.200.20.58 2 196.202.4.108 2 196.202.55.2 2 199.245.188.60 2 200.123.148.35 2 200.195.38.98 2 200.35.36.70 2 200.35.41.175 2 200.46.3.131 2 201.72.179.130 2 202.43.180.146 2 203.171.237.170 2 206.131.230.6 2 208.110.86.184 2 208.89.194.21 2 211.69.130.11 2 221.122.60.237 2 221.214.27.252 2 221.214.27.253 2 222.124.129.44 2 222.124.9.62 2 24.188.144.175 2 41.190.16.17 2 41.73.2.34 2 61.244.235.34 2 62.209.202.19 2 70.84.166.4 2 70.86.166.34 2 72.9.156.240 2 80.233.225.180 2 81.186.225.254 2 89.232.63.173 2 92.118.181.151 2 93.99.206.1 3 110.136.190.105 3 110.136.205.175 3 113.161.76.224 3 118.70.124.90 3 118.96.150.88 3 119.147.113.116 3 125.245.183.2 3 147.91.1.41 3 173.3.113.59 3 190.37.127.117 3 190.8.111.59 3 193.206.38.100 3 195.168.109.60 3 200.117.239.246 3 200.143.99.17 3 200.242.107.75 3 202.182.189.107 3 203.212.0.114 3 208.180.65.242 3 210.5.71.130 3 211.138.124.202 3 212.34.41.93 3 213.0.89.9 3 216.147.142.30 3 218.248.45.51 3 219.93.178.162 3 221.130.23.84 3 222.124.132.146 3 58.211.218.74 3 60.21.136.22 3 61.181.246.205 3 74.55.28.10 3 80.92.183.225 3 84.36.44.37 3 86.110.19.114 3 88.98.28.60 3 91.103.91.33 3 99.29.128.32 4 110.139.149.154 4 111.160.68.19 4 114.255.160.60 4 118.96.24.227 4 118.96.26.61 4 120.151.0.65 4 187.16.249.131 4 189.17.16.130 4 190.128.224.82 4 190.34.168.183 4 200.101.82.4 4 200.144.17.222 4 200.169.67.194 4 201.6.145.72 4 201.88.254.7 4 202.169.241.98 4 202.51.107.37 4 202.57.6.92 4 202.72.206.241 4 212.45.5.172 4 217.24.250.238 4 218.204.29.110 4 218.248.4.82 4 221.192.233.83 4 222.124.166.11 4 222.165.130.214 4 41.234.206.179 4 65.167.88.50 4 76.122.41.201 4 77.104.192.100 4 93.157.3.108 5 118.70.128.217 5 118.96.145.244 5 118.98.168.122 5 183.91.87.16 5 189.33.109.8 5 189.45.31.118 5 189.8.52.186 5 190.90.128.233 5 193.255.184.210 5 195.24.202.30 5 200.143.88.4 5 200.146.37.82 5 200.175.235.164 5 202.162.212.29 5 210.83.222.27 5 221.130.23.121 5 222.134.65.102 5 222.169.11.234 5 222.74.34.190 5 58.150.182.76 5 61.213.158.124 5 67.159.37.44 5 75.97.250.165 5 88.247.84.138 5 94.143.43.85 6 118.97.224.2 6 118.97.234.253 6 119.252.172.138 6 121.12.249.207 6 122.183.210.200 6 200.17.56.7 6 200.201.187.250 6 200.21.15.109 6 201.64.156.82 6 201.76.211.246 6 202.107.196.2 6 202.143.129.201 6 202.69.102.146 6 220.165.15.205 6 222.124.8.13 6 222.161.3.133 6 222.161.3.146 6 41.208.14.4 6 61.158.167.84 6 79.142.55.199 6 86.111.88.52 6 98.194.60.1 7 119.62.128.38 7 190.95.199.211 7 200.195.132.82 7 200.48.250.97 7 200.96.190.90 7 201.57.234.129 7 202.149.67.82 7 213.134.176.50 7 213.217.58.33 7 217.24.250.235 7 221.130.23.153 7 221.179.35.87 7 222.124.178.98 7 222.161.137.199 7 222.162.105.110 7 58.56.108.114 7 98.248.194.100 8 111.11.192.250 8 118.97.67.134 8 187.4.128.12 8 189.17.177.120 8 201.18.5.90 8 218.249.94.34 8 222.77.14.54 8 24.209.39.32 8 80.92.183.202 8 82.116.255.85 9 111.160.70.195 9 125.161.169.65 9 195.39.172.134 9 201.45.216.117 9 222.161.137.205 10 121.10.120.214 10 211.69.130.14 10 217.12.212.228 10 61.7.142.159 10 98.231.97.190 11 119.110.81.125 11 210.240.11.35 11 213.0.89.5 11 222.89.92.106 12 111.160.70.232 12 122.180.8.100 12 174.59.36.2 12 222.88.42.46 13 121.30.255.38 13 200.43.192.163 14 203.172.244.18 14 222.47.26.12 15 210.210.35.11 16 202.108.5.35 17 125.235.241.132 18 187.6.85.3 19 88.191.80.66 21 221.130.17.45 22 202.108.3.204 27 123.125.156.142 30 123.125.156.137 73 202.108.50.76 76 123.125.156.204
any other suggestion...
-
26th Sep 2010, 01:15 PM #4MemberWebsite's:
somik.org sborg.us
-
26th Sep 2010, 05:16 PM #5OPBannedWebsite's:
TehHost.netthey are just some of the IPs the last time before server crash the total connections was 1256
and i already installed CSF firewall, Mod_security, Mod_dosevasive, (D)DoS Deflate (30 connections max), litespeed webserver (free edition) but no good result
can you suggest me some good anti ddos scripts
-
26th Sep 2010, 06:14 PM #6Respected Member
What os are you running?
Looks like you have 2 ip using 70+ . Some setting must be wrong. They are hackers from china. I was always being hit by them trying to get in.
use this to block them:
iptables -I INPUT -m iprange --src-range 202.0.0.0-202.255.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 123.0.0.0-123.255.255.255 -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 4 -j REJECT --reject-with tcp-reset
This will last only till system reboots. You can use service iptables save to save the new setting.
-
26th Sep 2010, 06:19 PM #7BannedWebsite's:
rapidleechhosting.net ponofilms.net wupload.wscan u check memory available ??
"free -m"
-
26th Sep 2010, 08:16 PM #8OPBannedWebsite's:
TehHost.neti just found that ipt_recent is not enable on my VPS and i have requested my VPS provider to enable it for me and waiting for there responce
I am running centos 5.5
@freecbc3 cannot allocate memory
-
27th Sep 2010, 03:05 PM #9OPBannedWebsite's:
TehHost.net
-
27th Sep 2010, 06:34 PM #10Respected Member
try this command see what it does
iptables -L
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
Small Footer Problem (<div> problem ??)
By Ashleyuk1984 in forum Technical Help Desk SupportReplies: 2Last Post: 26th Jan 2011, 02:53 PM -
PM box problem
By Florios in forum vBulletinReplies: 0Last Post: 18th Dec 2009, 12:59 AM -
KWWH side problem Or end user side problem?
By bluedevil in forum Feedback and SuggestionsReplies: 3Last Post: 24th Oct 2009, 10:07 AM -
New problem.
By carnage in forum General DiscussionReplies: 20Last Post: 3rd Sep 2009, 11:35 AM
themaPoster - post to forums and...
Version 5.38 released. Open older version (or...