|
|
06-25-2009, 09:31 AM
|
|
Member
|
|
Join Date: Jun 2009
Posts: 26
|
|
DDoS Question
Hello,
I am planning to buy LiteSpeed Enterprise for my server.
But i would just like to make sure it would be worth the price.
I am currently using the Trial Version ..
Linux CentOS 32bit with DA
I just want to get the right setting..
I have followed most of the threads.. including http://www.litespeedtech.com/how-tos.html#qa_dos
But just didnt know how to mitigate attacks from different IPs.
I read the last point there about General Context. But i didnt understand that part..
I have posted an image of a log of an attack i experience..
Thank you,
Arvind.
Last edited by -KaaL-; 06-29-2009 at 08:56 PM..
|
06-25-2009, 09:43 AM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,603
|
|
|
Just limit the number of connections from each IP, LSWS will block IP that abuse the server automatically, no need to do anything extra unless you are hitting by a botnet with hundreds or thousands zombies.
|
06-25-2009, 09:45 AM
|
|
Member
|
|
Join Date: Jun 2009
Posts: 26
|
|
|
I havent posted the whole log.
Its well over UNIQUE 500 bots.
And this log has some consecutive IPs
I expect attacks with all unique IPs like a pack of 500 attacking one after the other..
|
06-25-2009, 09:50 AM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,603
|
|
|
It does not matter, as long as the bot acts aggressively like the status page you posted, all of them will be blocked in short time once hit the connection limits.
|
06-25-2009, 11:47 AM
|
|
Member
|
|
Join Date: Jun 2009
Posts: 26
|
|
|
Static Requests/second - 25
Dynamic Requests/second - 10
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 400
Connection Hard Limit - 500
Grace Period (sec) - 15
Banned Period (sec) - 300
Max Connections : 500
Connection Timeout (secs) : 60
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3
Are these settings fine ?
|
06-25-2009, 12:00 PM
|
|
Senior Member
|
|
Join Date: Nov 2007
Location: New York
Posts: 729
|
|
Quote:
Originally Posted by -KaaL-
Static Requests/second - 25
Dynamic Requests/second - 10
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 400
Connection Hard Limit - 500
Grace Period (sec) - 15
Banned Period (sec) - 300
Max Connections : 500
Connection Timeout (secs) : 60
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3
Are these settings fine ?
|
How often do you get hit with a ddos? Your settings are not aggressive. Start with these:
Static Requests/second - 10
Dynamic Requests/second - 2
Outbound Bandwidth (bytes/sec) - 0
Inbound Bandwidth (bytes/sec) - 0
Connection Soft Limit - 20
Connection Hard Limit - 30
Grace Period (sec) - 30
Banned Period (sec) - 3600
Max Connections : 900
Connection Timeout (secs) : 15
Max Keep-Alive Requests : 90
Smart Keep-Alive : Yes
Keep-Alive Timeout (secs) : 3
Last edited by anewday; 06-25-2009 at 12:05 PM..
|
06-30-2009, 11:01 PM
|
|
Member
|
|
Join Date: Jan 2009
Posts: 40
|
|
Quote:
Originally Posted by -KaaL-
Hello,
I am planning to buy LiteSpeed Enterprise for my server.
But i would just like to make sure it would be worth the price.
I am currently using the Trial Version ..
Linux CentOS 32bit with DA
I just want to get the right setting..
I have followed most of the threads.. including http://www.litespeedtech.com/how-tos.html#qa_dos
But just didnt know how to mitigate attacks from different IPs.
I read the last point there about General Context. But i didnt understand that part..
I have posted an image of a log of an attack i experience..
Thank you,
Arvind. |
wow KaaL , amazing log , i'm using DA , how can i access this log for my server ?! |
06-30-2009, 11:57 PM
|
|
Member
|
|
Join Date: Jun 2009
Posts: 26
|
|
I have done all what has been said by Ant. Appreciate it.
But the Mod Security rules you posted on the other thread forbids members to post reply or post a new thread ... i think some settings has to be lowered..
Thank you again..
Quote:
Originally Posted by Cyber-DL
wow KaaL , amazing log , i'm using DA , how can i access this log for my server ?!
|
APACHE 1.x
http://httpd.apache.org/docs/1.3/mod/mod_status.html
APACHE 2.x
http://httpd.apache.org/docs/2.2/mod/mod_status.html
|
07-01-2009, 12:07 AM
|
|
Senior Member
|
|
Join Date: Jan 2009
Posts: 52
|
|
|
If you look at the mod_security log, it should tell you what is being blocked. Perhaps you can paste the security alert here. Otherwise you'll need to do what I did, and that's searching through each mod_sec document in "modsecurity" and "modsecurity.d" and search for the text, kinda like when you do an edit in vB ya know? Find that text and depending upon the usage of it, you can alter the rule or remove it entirely if it's something like a blacklist. Nothing is perfect for all environments, but what I posted is for a WHM/cPanel environment. With DA I'm not sure how it compiles Apache, and what options you have and so forth. By process of elimination you can most of the time tweak the rule.
Last edited by grniyce; 07-01-2009 at 12:10 AM..
|
07-01-2009, 09:46 AM
|
|
Member
|
|
Join Date: Jun 2009
Posts: 26
|
|
Quote:
Originally Posted by grniyce
If you look at the mod_security log, it should tell you what is being blocked. Perhaps you can paste the security alert here. Otherwise you'll need to do what I did, and that's searching through each mod_sec document in "modsecurity" and "modsecurity.d" and search for the text, kinda like when you do an edit in vB ya know? Find that text and depending upon the usage of it, you can alter the rule or remove it entirely if it's something like a blacklist. Nothing is perfect for all environments, but what I posted is for a WHM/cPanel environment. With DA I'm not sure how it compiles Apache, and what options you have and so forth. By process of elimination you can most of the time tweak the rule.
|
The problem that i face is all time i google, what i get is of cPanel/WHM.. not much for DA
so im also like you all alone..the hard way..
Still learning each day something or the other ..
Code:
===============================================
THIS IS THE FIRST TYPE ...
===============================================
POST /newreply.php?do=postreply&t=758 HTTP/1.1
Host: somedomain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://somedomain.com/showthread.php?p=59668
Cookie: [Cookie....]
Content-Type: application/x-www-form-urlencoded
Content-Length: 382
-----------------------------------------------
HTTP/1.1 403 Forbidden
-----------------------------------------------
Message: [client <CLIENT.IP.ADDRESS>] mod_security: Access denied with code 403, [Rule: 'REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/submit/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:/code/|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/url/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/' '(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame)'] [severity "WARNING"]
===============================================
2nd ERROR TYPE
===============================================
GET /some/image/sample.gif HTTP/1.1
Host: <CLIENT.IP.ADDRESS>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.somedomain.com.com/index.php?showtopic=19815
Cookie: <COOKIE>
------------------------------------------------
HTTP/1.1 400 Bad Request
------------------------------------------------
Message: [<CLIENT.IP.ADDRESS>] mod_security: Access denied with code 400, [Rule: 'REQUEST_HEADERS:Host' '^[\d\.]+$'] [ID "960017"] [Msg "Host header is a numeric IP address"] [severity "CRITICAL"]
|
| Thread Tools |
|
|
| Display Modes |
 Hybrid Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -7. The time now is 02:32 PM.
|
|
