apache server under attack

Discussion in 'Site & Server Administration' started by mark24, Mar 22, 2020.

0
  1. #1
    Hi all,
    I run a small community . Iam using apache web server with smf forums on a vps with centos 7. I have all good firewalls going (csf) . Iam trying to solve an issue with a user crashing my7 forums. The memory on the vps and cpu will spike to 100% and create a "cannot connect to mysql database" error. on the apache error logs I get a mpm_prefork error showing AH00159 error out of memory. can anyone tell me how to prevent this attack. thanks.
     
    mark24, Mar 22, 2020 IP
  2. JEET

    JEET Notable Member

    Messages:
    3,832
    Likes Received:
    502
    Best Answers:
    19
    Trophy Points:
    265
    #2
    Check your access logs. Someone is definitely scraping your forum, and this is what is causing the MySQL overload.
    One or two IPS, too many requests, in a very short time.
    Block that IP.
     
    JEET, Mar 23, 2020 IP
  3. mark24

    mark24 Peon

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #3
    it wont matter if you ban the IP, I know the user, he is the king of getting new IPs using vpns. Iam running centos 7, apache, mysql and smf forums. i have csf firewall. is there any apache settings iam overlooking i can set. thanks.

    I forgot to mention, he can only do this while forums are open. if I put the forum in maintaince mode and restrict access to only admins. he cant do this or take down apache or mysql
     
    Last edited by a moderator: Mar 24, 2020
    mark24, Mar 24, 2020 IP
  4. zacharooni

    zacharooni Well-Known Member

    Messages:
    346
    Likes Received:
    20
    Best Answers:
    4
    Trophy Points:
    120
    #4
    Use CloudFlare, whitelist the reverse proxy ip ranges in your firewall, and remove ports 80,443/tcp and 443/udp from your firewall whitelist so only CloudFlare can hit your server. This should improve stability by leaps and bounds.
     
    zacharooni, Mar 24, 2020 IP
  5. SolaDrive

    SolaDrive Well-Known Member

    Messages:
    135
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    153
    #5
    1. Setup a CDN, like CloudFlare which is free. The free version will do a good job at blocking false visits and attacks like this.
    2. Why can't you just block this user?
    3. You should use MPM_event as it will perform much better, your MySQL also needs tuning so it can accept more connections.
    4. Nginx would also work well with your forum but would need rewrite rules setup.
    5. Setup a rule in your firewall to block XX number of connections from the same IP or similar class C subnet.
     
    SolaDrive, Mar 24, 2020 IP
  6. mark24

    mark24 Peon

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #6
    thanks alot, ive overlooked those things and have csf firewall working perfectly with cloudlfare and everything locked down.
     
    mark24, Mar 25, 2020 IP
  7. MagdaS

    MagdaS Active Member

    Messages:
    37
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    88
    #7
    Sorry to hear,

    One golden rule is not to install software that you have no trust in. Meaning audit source code prior installing. If no SC is available, or authors/devs deny your right to audit, than just ignore and use alternative/s
     
    MagdaS, Apr 4, 2020 IP
  8. Thibaut

    Thibaut Well-Known Member

    Messages:
    886
    Likes Received:
    26
    Best Answers:
    0
    Trophy Points:
    140
    #8
    Try to enable mod_security on the Apache server.
     
    Thibaut, Apr 10, 2020 IP