First aid for DDOS attack on port 80
First aid for DDOS attack on port 80
We can use the following steps to recover our server from a DDOS attack on the port 80. To do this
you must have logged into the server as a root user.
Step 1 : Install/Configure APF firewall
=============================
a) If there are no firewalls installed on the server please install the same,
you will get the steps and directions from the following site.
http://www.webhostgear.com/61.htmlb) Turn on the antidos option (USE_AD) in the APF conf file
# vi /etc/apf/conf.apf
USE_AD = 1
Step 2 : Install/Configure mod_evasive (for Apache 1.3x)
=============================
mod_evasive and mod_dosevasive are the same
a) Install mod_evasive
# wgethttp://www.zdziarski.com/projects/mo..._1.10.1.tar.gz
# tar -xzvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# /usr/local/apache/bin/apxs -i -a -c mod_evasive.c
# /etc/init.d/httpd restart
b) Also include the following lines in the apache conf file
# vi /usr/local/apache/conf/httpd.conf
-------------------------------------------------
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
-------------------------------------------------
c) Restart the webserver
# /etc/init.d/httpd restart
Step 3 : Install mod_security
=============================
Normally we can find/install this module from WHM
WHM >> cPanel >> Addon Modules >> Select "modsecurity "
>>save
Step 4 : Blocking IPs
a) Find the IPs those have established a connection with the server
(The following command is the better one to get the IPs, as this will sort the IPs
according to the number of connections).
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
b) Block them using IPTABLES
# iptables -I INPUT -s 218.92.207.28 -j DROP
# service iptables save
# service iptables restart
c) Block them on APF too
# vi /etc/apf/deny_hosts.rules
# service apf restart
Step 5 : Optimizing the httpd.conf file
=============================
# vi /usr/local/apache/conf/httpd.conf
Change the bellow options as follows, original values are shown in the
bracket.
MaxKeepAliveRequests 50 (100)
KeepAliveTimeout 60 (30)
Also edit the following options too, according to the situation.
Timeout
KeepAliv
MinSpareServers
MaxSpareServers
MaxClients
Step 6 : Install/Configure 3rd party DDOS prevention tools
=============================
We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack
effectively.
Steps to install this script are as follows.
# wgethttp://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh
Add the script '/usr/local/ddos/ddos.sh' to cron as follows
# crontab -e
*/5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1
Step 7 : Suspend websites
=============================
Check the bandwidth usage of all the domains and suspend the high bandwidth consuming domains for a
while
PERMANENT WAY TO FIX THE DDOS ATTACK
=============================
As we all know the softwares have its own limitations for preventing against DDOS attack, we can
follow these steps to cure it permanently.
1. Ask the NOC for attaching Cisco Guard on the server for 24 hours
(Normally this service is free from most NOCs)
2. Attach a hardware firewall for the server
Hope this will help you in such a situation, for more information kindly refer the following URL:
http://forums.cpanel.net/showthread.php?t=66952