Join the community today
Become a Member

My Forum is under attack, but I cant identify what kind of attack is.

Discussion in 'System Administration' started by CarlosMST, Jun 8, 2015.

  1. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    Hello @eva2000
    My website is under attack, but I cant identify why kind of attack is.
    I have installed centminmod.

    Please can you help me.

    Thanks in advance.

     
  2. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
  3. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    I dont know how to view logs in centminmod... :(
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod is provided as is, so troubleshooting issues is left to end user to do. However, there's many linux tools and scripts that can help you figure out what was causing the issues and when.

    If you're providing info on this forum, more info might be helpful
    1. What version of Centmin Mod ? .07 stable or .08 beta ? If .08 beta when was it installed and when was last time you updated the .08 beta code (there's constant updates to the code).
    2. What's your VPS/Server hardware specifications ? cpu type ? memory available ? disk space ?
    3. Who's your web host ?
    Tools and commands you will want to read up on and learn for basic system admin tasks and troubleshooting.
    Notes:

    Troubleshooting & Log Locations



    For log locations, you can see full details at How to troubleshoot Centmin Mod initial install issues which has links to log locations.

    But for DDOS attacks first port of call is web host and their assistance
     
  5. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    Hello @eva2000
    I am running centminmod-123.07stable_intel
    My server is a SoYouStart OVH
    E3-SAT-3 Intel Xeon E3 1245v2 4 c/ 8 t 3.4 GHz+ 32 GB 2x 2 TB SATA
    The forum is very lag, here a screen of OVH manager:
    ataque.png
     
  6. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    The traffic suddenly up today. I'm sure is an attack.
    But I dont know what kind of attack is.
     
  7. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    The number of connected user not raise, my forum is a new forum, average of 20 connected users at the same time.
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    unfortunately as I said Centmin Mod is provided as is... so best to start with OVH/SYS tech folks and all the links and tools I posted above
     
  9. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    Do you have a tool for view the stablisehd connections to nginx?
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you mean stats ?

    Centmin Mod LEMP stack doesn't provide any traffic statistics analysers, just raw logs outlined in troubleshooting guide's server logs section.

    However, there's third party tools you can try including:
    Then there's tools and commands you will want to read up on and learn for basic system admin tasks and troubleshooting including some for monitoring in general.
    Notes:
     
  11. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    3:10 PM
    Mainline
    10.2
    I hope your server is not exploited.
    Is it's Layer 3/4 DDOS attack, SYS can handle it pretty fine.
    Do you have something like ElasticSearch installed on your server?
    Default install is not protected and vulnerable.
     
  12. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    Hi @RoldanLT I doesnt have Elastic Search.

    I configured CSF Firewall and the LAG was decreased, but the conections persist in OVH Monitor Graphic.
    I want to identify if the attacker is from one specific IP for block.
    But I dont know how to view Nginx Logs. I need to identify what kind of attack is for block them.
    In my forum I do not view more guest conected, only 20 people between Members, Guest and robots.

    Wich kind of attack is that?
     
  13. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    Now I detected attacker IP
    How to configure CSF Firewall for autoban IP,
    I noticed that CSF Firewall not auto ban this IP.
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    CSF only auto bans for failed logins to SSH/FTP or ports defined in /etc/csf/csf.conf - you need other methods depending on what they're hitting as CSF can't auto ban layer 7 web app attacks on it's own.

    CSF firewall related CSF - CSF Firewall info and CSF Firewall page

    I
    n post 10 above, I outlined various ways of getting ip info too.
     
  15. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    The attacker attacks to my recent-activity path with only one IP:
    I banned his IP in CSF Firewall and in XenForo APC, but the attack persist:
    Here a Print Screen of ngxtop:
    attacker.png
    What type of Firewall I need?
    Is possible to block this with IPTABLES?

    Thanks in advance.
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  17. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
  18. eva2000

    eva2000 Administrator Staff Member

    54,547
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    5:10 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    -a = allow ip entries in /etc/csf/csf.allow

    -d = deny/ban ip entries in /etc/csf/csf.deny
     
  19. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    Yes, sorry, writing error. I copy paste.

    But the correct command that I applied is -d
     
  20. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    2:10 AM
    I applied the command, exactly like that:
    Code:
    csf -d 23.95.208.107 Attacker IP
    
    Why not block the IP?