Learn about Centmin Mod LEMP Stack today
Register Now

My Forum is under attack, but I cant identify what kind of attack is.

Discussion in 'System Administration' started by CarlosMST, Jun 8, 2015.

  1. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    12:41 PM
    I checked the file /etc/csf/csf.deny
    and the IP is in the list.
     
  2. eva2000

    eva2000 Administrator Staff Member

    42,346
    9,560
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,732
    Local Time:
    3:41 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    csf -h to look at help file to see how to grep ip to see if it's denied or allowed

    Code:
    csf -g IPADDRESS
    and check /etc/csf/csf.allow and /etc/csf/csf.deny
    Code:
    grep IPADDRESS /etc/csf/csf.allow
    grep IPADDRESS /etc/csf/csf.deny
     
  3. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    12:41 PM
    Here it is a print screen:
    stats.png
     
  4. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    12:41 PM
    Here it is Live Stats of ngxtop:

    stats-NEW.png

    I noticed the speed is lower compared before block IP.
    the attackers ip are both 23.95.208.107 and 23.95.208.108
    both are blocked now

    Why not totally block?
     
  5. eva2000

    eva2000 Administrator Staff Member

    42,346
    9,560
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,732
    Local Time:
    3:41 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    what's ngxtop command you using ? if you have no-follow it's not live it's read from access.log so could be past entries

    they should be blocked.. you would need to look at http status codes as ngxtop could be reporting 403 access denied etc ??? but CSF should of blocked it before it hit nginx
     
  6. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    12:41 PM
    Here it is the command I'm using:
    Code:
    ngxtop -l /home/nginx/domains/domainname.com/log/access.log top request remote_addr
     
  7. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    12:41 PM
    But now I noticed that the connections of attacker are less. Reduced a lot but not block totally.
     
  8. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    12:41 PM
    Ok, Thanks boss.

    And how about block IP in Nginx, like this:
    Nginx Block And Deny IP Address OR Network Subnets
     
  9. eva2000

    eva2000 Administrator Staff Member

    42,346
    9,560
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,732
    Local Time:
    3:41 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    that's left up to you, you can do it that way but by the time it hits nginx probably too late.. you want to block it from one level higher at CSF Firewall level

    tried

    Code:
    ngxtop -l /home/nginx/domains/domainname.com/log/access.log top request remote_addr status
     
  10. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    12:41 PM
    Here it is:

    stats-with-status.png

    Now not appears attacker IP, and the most status code is 200.

    What is the meaning of?
     
  11. eva2000

    eva2000 Administrator Staff Member

    42,346
    9,560
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,732
    Local Time:
    3:41 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    looks like they're blocked now :)
     
    • Like Like x 2
  12. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    12:41 PM
    Yeah, now the forum sense much faster.

    Thanks for your help boss.
    Good night.
     
  13. rdan

    rdan Well-Known Member

    4,733
    1,144
    113
    May 25, 2014
    Ratings:
    +1,709
    Local Time:
    1:41 AM
    Mainline
    10.2
    That's why Cloudflare is very useful :)
    Cloudflare can pretty detect this right away without affecting your system :).
     
  14. CarlosMST

    CarlosMST Member

    43
    0
    6
    Aug 9, 2014
    Ratings:
    +0
    Local Time:
    12:41 PM
    In my case, when the attack was on, and I activate cloudflare for testing purposes.
    The result are worst, very lag.
    The cloudflare security is on Medium.
    I have the free version of cloudflare.
     
  15. rdan

    rdan Well-Known Member

    4,733
    1,144
    113
    May 25, 2014
    Ratings:
    +1,709
    Local Time:
    1:41 AM
    Mainline
    10.2
    I have this even Essentially Off :)
    That's not the one I'm talking, I mean Web Application Firewall that is only available for PRO plan and up.