Want to subscribe to topics you're interested in?
Become a Member

Nginx Nginx down when DDoS

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Oxide, Apr 18, 2016.

  1. Revenge

    Revenge Active Member

    442
    92
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +333
    Local Time:
    5:54 AM
    1.9.x
    10.1.x
    @pamamolf im on the phone, but i'll give you my configuration when i get home. Basically, it bans every ip that makes a request using the WordPress user agent. Like @Oxide said, in very big attacks, the ip's making requests are faster than the ability of fail2ban to ban them. But it will ban all of them after some time.

    @Oxide another way to protect and if you have the money, is to buy the pro version of cloudflare that costs 20$. Their WAF protection will absorb the xmlrpc attack.
     
  2. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
    Yeah, but blocking user-agents should work fine (returning 444) however nginx goes down. Rather not spend a extra $20/m since something is wrong with centmin - before doing that i would start using VestaCP..

    I am having issues understanding what could prevent the requests from coming through? It's like something blocks it before nginx gets impacted.. Nginx never crash, never experienced such issue before.
     
  3. eva2000

    eva2000 Administrator Staff Member

    41,046
    9,172
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,073
    Local Time:
    2:54 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    you using 444 return status on both non-centmin mod and centmin mod nginx servers ? as that is exactly what 444 is meant to do = close nginx connections before nginx even responds to them
     
  4. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
    Correct. But that wouldn't block normal traffic too? And time out.. I have issues connecting to FTP for example, not sure if nginx/ftp is tied together.
     
  5. eva2000

    eva2000 Administrator Staff Member

    41,046
    9,172
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,073
    Local Time:
    2:54 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    nothing ties nginx and ftp so it's something else
     
  6. Revenge

    Revenge Active Member

    442
    92
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +333
    Local Time:
    5:54 AM
    1.9.x
    10.1.x
    @Oxide if the attack is really big, the cpu will go anyway to 100%. That attack i received yesterday with 8000 servers making many requests per seconds each one of them, put each of the 8 cpu threads at 100%, even though nginx was returning 444 to them. Nginx will still receive those request
     
  7. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
    Yeah. I had issues connecting to FTP, couldn't connect at all during the attack. Neither any of my websites.. CPU? It used 0% CPU usage.

    On my other non-centmin server, where i only had nginx (No other services) 444 gave me 100% CPU Usage - but site didn't go down.
     
  8. eva2000

    eva2000 Administrator Staff Member

    41,046
    9,172
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,073
    Local Time:
    2:54 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    have you tried installing centmin mod 123.09beta01 ? or already tried ?
     
  9. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
    no, but i will try
     
  10. Ahmad

    Ahmad Premium Member Premium Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    6:54 AM
    1.9.9
    10.1.10
    I added you on skype btw. @Oxide
     
  11. Revenge

    Revenge Active Member

    442
    92
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +333
    Local Time:
    5:54 AM
    1.9.x
    10.1.x
    Filter:
    Code:
    [Definition]
    
    failregex = ^<HOST> -.*WordPress.*/
    
    Jail:
    Code:
    [pingback]
    enabled = true
    port = http,https
    filter = pingback
    logpath = /path/to/your/access.log
    backend  = polling
    journalmatch =
    maxretry = 1
    findtime = 1
    bantime = 86400
    action = iptables-allports
     
    • Informative Informative x 3
  12. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
    This will not work with CloudFlare sadly.

    I used to use this: Redis based IP blacklist for Nginx (LUA) ยท GitHub

    It worked fine, redis is pretty quick.

    To be more specific, i used this to limit requests using fail2ban.. I limited php requests to 15 or so.
     
  13. Revenge

    Revenge Active Member

    442
    92
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +333
    Local Time:
    5:54 AM
    1.9.x
    10.1.x
    Why won't work behind Cloudflare? If Cloudflare sends the real IP to your server, i don't see why it wouldn't work.
     
  14. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
    IP Tables does not work with nginx, the real ip is only within web server - so iptables will see cf ip's..
     
    • Agree Agree x 1
  15. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
    Yes. Same issue! :p

    nginx version: nginx/1.9.15 @ 123.09beta01
     
  16. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
    And here is a $5.00 USD (DigitalOcean VPS - 1 Core - 512MB Ram). It does not run centmin and can stand online completely fine.

    Reached nearly 10k r/s - same attack on centmin crashes it or something weird happens

    [​IMG]
     
  17. eva2000

    eva2000 Administrator Staff Member

    41,046
    9,172
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,073
    Local Time:
    2:54 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  18. Revenge

    Revenge Active Member

    442
    92
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +333
    Local Time:
    5:54 AM
    1.9.x
    10.1.x
    Fail2ban will get th IP in the Access Log. That log is populated by Nginx with the real ip address ;)
     
    • Agree Agree x 1
  19. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
  20. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    2:54 PM
    Sure, but iptables won't block it ;) It will be cloudflare ip still - means the traffic will still go through cloudflare like a proxy..