Need Help Detecting DDOS Using WHM/Cpanel

Hello

I wondered if anyone could help me out here.

I get DDOSED alot on some of my sites, i dont know why but i am sick of asking support to fix it.

So thats why im here, i want to learn how i can detect a DDOS attack (Threw apache status) and how i ban that IP address myself , i have the latest WHM.

Thanks

Tyler

 

The simple answer is you can't very effectively.

DOS attacks can come in many forms, some are network based, routers, switches and servers are attacked, some are application bases via exploits with apache, php, custom web applications, sql etc..

Maybe you can tell us more about the types of attacks you are experiencing?

See even a front page digg article on a server that can't handle it could be considered a DOS attack.

 

linsys, well the attacks are usually always network based, slowing down website loads etc. And its not CPU/RAM since i check them and they are fine

Also i can use SSH if needed to detect attacks.

 

If you can check the CPU/RAM and they are fine, the you are even more limited on what you can do about it. If the router is being attacked then only your hosting company can deal with it, if the server its self is being attacked it could be another host on the same server (unless its dedicated). If you have SSH and root you can always throw up an IDS like snort to see if it picks up any attack signatures. With root there is a lot more you can do, especially since the attacks are network based.

 

Yes server is totally dedicated, i have complete access etc.

http://deflate.medialayer.com/old/

Does that work?

Tyler

 

Yea I would try that, I would also install Snort and run it for at least one month, snort will give you an AMAZING look and what is happening with your server, who is connecting, what attacks are they running etc.. then from there you can start to design a plan to deal with it.

 

See the below URLs. It has been very helpful. If you plan to install firewall, do remember to install only one - either CSF or APF.

http://basilvarghese.co.cc/secure-your-server/ddos-attack.html

http://basilvarghese.co.cc/secure-your-server/install-csf.html

http://basilvarghese.co.cc/secure-your-server/install-apf.html

 

Dude i have seen over 50 DDOS attacks and i am using linux since 1999. You can not prevent DDOS attacks with iptables or any other software firewall. You will need a hardware firewall. But for your answer, snort is a great tool imo.

 

Only 50? I see them daily. Amazes me folks like attacking sites of 8 year old girl scouts and pictures of their camping trip.

Gotta agree with that. You can try blocking at the server level but the problem is the server is still responding to the attack, even if it's just to block it or not accept the connection. While local firewalls and the like do help and do offer some protection from hackers, DDoS prevention really needs to be done at the router or firewall level.

Snort and the other tools help but they're more for providing the information needed to get the other tools in place to protect your server.

Have you figured out which sites are being hit? Any showing huge amounts of increased traffic?

 

@theapparatus

Thanks for saving me to writing the logic Totally agreed. However you can use block suspicious attacks detected by snort via automatic script. That is why i love snort.

 

You need an hardware firewall.
So you can filter all bad packets and allow only the good.

But for 50attackers you can block by software.

If you use cPanel you can read this guide to Optimize your server: https://www.rv89.eu/forum/index.php...cpanel-whm-server-for-prevent-hacker-attacks/

Install CSF Firewall and configure:

CSF Connection Limit
There is in csf.conf CT option, configure it like this

CT_LIMIT = "25"

Code (markup):

It means every IP with more than 25 connections is going to be blocked. So you can see who is the attacker on the deny ip list and how much connection he open to attack you.

  CT_PERMANENT = "1"

Code (markup):

IP will blocked permanenty

  CT_BLOCK_TIME = "1800"

Code (markup):

IP will be blocked 1800 secs(1800 secs = 30 mins)

  CT_INTERVAL = "60"

Code (markup):

Set this to the the number of seconds between connection tracking scans.

After csf.conf editing you need to restart csf

  root@server [~# service csf restart

Code (markup):

• SYN Cookies

Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:

 # Enable TCP SYN Cookie Protection
 net.ipv4.tcp_syncookies = 1
 

Code (markup):

  root@server [~/]# service network restart

Code (markup):