365 Hosting support | Server Management Provider

365hostingsupport ultimate source of Server Security, cPanel server management and monitoring. Since 2012 we are offering top class technical support services at lowest prices. We offer 100% Satisfaction with 7 Days Money Back Guarantee.

365 Hosting support |  Server Management Provider - 365hostingsupport ultimate source of Server Security, cPanel server management and monitoring. Since 2012 we are offering top class technical support services at lowest prices. We offer 100% Satisfaction with 7 Days Money Back Guarantee.

DOS: How to check it?

Now a days DDOS attack became the usual in the server. You can follow the below checklist to Stop at certain extent.

Steps:

1.How to find DOS attack on the server

[root@root]# pidof httpd

If you find more than 5 rows of PID from above command result, you can suspect there is DOS attack in the server.

2. Run the below script to confirm the DOS attack and block the IPs continuously.

[root@root]# netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

OR

[root@root]# netstat -an | grep SYN|sort|uniq|awk ‘{print $5}’|sed ‘s/\:/ /g’|awk ‘{print “csf -d “$1}’

you can find high hit from different IPs. Once You confirm DOS attack in the server ,

4. Now we have to check the “MaxClient” and Timeout value in Apache configuration.

MaxClients 150
Timeout 300

Timeout 300 is the default value. We can reduce bit lower into avoid DOS attack at certain extend

5. Now we have to find , on which are the domain, DOS attack is happening.

[root@root]# cd /usr/local/apache/domlogs/
[root@root]# ls -ltr |tail -50

(it will list the TOP 50 domains which are in high access.

6.Now, Run the following command to know the IPs which is hitting the particular domain..

[root@root]# tail -f domainname | awk {‘print $1’}

7. If the hit is coming from same IP, we can block only those IP. if hit is from different ranges of IP, we have to suspend or disable that account or can block the range of IPs.

8.Instead we can remove the DNS/pdns DB entry for the domain.

[root@root]# mv /var/named/domainname.com.db /var/named/domainname.com.db.bak[root@root]# touch /var/named/domainname.com.db

9. Also remove ZONE entry from PDNS.

10. In WHM : Apache status you can see the domain which is receiving more hits or request. As per that take an action.

11. If attack is not in control then make changes in csf.conf as follows

1. vi /etc/csf/csf.conf

find : CT_LIMIT and set it to 150

2. FIND: SYNFLOOD, SYNFLOOD_RATE and SYNFLOOD_BURST

Set the values as follows:

SYNFLOOD = “1”
SYNFLOOD_RATE = “10/s”
SYNFLOOD_BURST = “15”

Definition: SYN flood: A SYN flood is a type of DoS attack. A SYN packet notifies a server of a new connection. The server then allocates some memory in order to handle the incoming connection, sends back an acknowledgement, then waits for the client to complete the connection and start sending data. By spoofing large numbers of SYN requests, an attacker can fill up memory on the server, which will sit their waiting for more data that never will arrive. Once memory has filled up, the server will be unable to accept connections from legitimate clients.

3. Also enable PORTFLOOD as follows.

PORTFLOOD = “80;tcp;300;5”

3. save and exit

4. Restart csf.

 

Tag: ,