Nginx Nginx down when DDoS

Revenge · May 2, 2016

@pamamolf im on the phone, but i'll give you my configuration when i get home. Basically, it bans every ip that makes a request using the WordPress user agent. Like @Oxide said, in very big attacks, the ip's making requests are faster than the ability of fail2ban to ban them. But it will ban all of them after some time.

@Oxide another way to protect and if you have the money, is to buy the pro version of cloudflare that costs 20$. Their WAF protection will absorb the xmlrpc attack.

Oxide · May 2, 2016

Revenge said: ↑

@pamamolf im on the phone, but i'll you my configuration when i get home. Basically, it bans every ip that makes a request using the WordPress user agent. Like @Oxide said, in very big attacks, the ip's making requests are faster than the ability of fail2ban to ban them. But it will ban all of them after some time.

@Oxide another way to protect and if you have the money, is to buy the pro version of cloudflare that costs 20$. Their WAF protection will absorb the xmlrpc attack.
Click to expand...

Yeah, but blocking user-agents should work fine (returning 444) however nginx goes down. Rather not spend a extra $20/m since something is wrong with centmin - before doing that i would start using VestaCP..

I am having issues understanding what could prevent the requests from coming through? It's like something blocks it before nginx gets impacted.. Nginx never crash, never experienced such issue before.

eva2000 · May 2, 2016

you using 444 return status on both non-centmin mod and centmin mod nginx servers ? as that is exactly what 444 is meant to do = close nginx connections before nginx even responds to them

Oxide · May 2, 2016

eva2000 said: ↑

you using 444 return status on both non-centmin mod and centmin mod nginx servers ? as that is exactly what 444 is meant to do = close nginx connections before nginx even responds to them
Click to expand...

Correct. But that wouldn't block normal traffic too? And time out.. I have issues connecting to FTP for example, not sure if nginx/ftp is tied together.

eva2000 · May 2, 2016

Oxide said: ↑

Correct. But that wouldn't block normal traffic too? And time out.. I have issues connecting to FTP for example, not sure if nginx/ftp is tied together.
Click to expand...

nothing ties nginx and ftp so it's something else

Revenge · May 2, 2016

@Oxide if the attack is really big, the cpu will go anyway to 100%. That attack i received yesterday with 8000 servers making many requests per seconds each one of them, put each of the 8 cpu threads at 100%, even though nginx was returning 444 to them. Nginx will still receive those request

Oxide · May 2, 2016

eva2000 said: ↑

nothing ties nginx and ftp so it's something else
Click to expand...

Yeah. I had issues connecting to FTP, couldn't connect at all during the attack. Neither any of my websites.. CPU? It used 0% CPU usage.

On my other non-centmin server, where i only had nginx (No other services) 444 gave me 100% CPU Usage - but site didn't go down.

eva2000 · May 2, 2016

have you tried installing centmin mod 123.09beta01 ? or already tried ?

Oxide · May 2, 2016

eva2000 said: ↑

have you tried installing centmin mod 123.09beta01 ? or already tried ?
Click to expand...

no, but i will try

Ahmad · May 2, 2016

I added you on skype btw. @Oxide

Revenge · May 2, 2016

pamamolf said: ↑

@Revenge

What fail2ban rules do you use and you are able to catch the attacks?

Can you post the config?
Click to expand...

Filter:
Code:
[Definition]

failregex = ^<HOST> -.*WordPress.*/
Jail:
Code:
[pingback]
enabled = true
port = http,https
filter = pingback
logpath = /path/to/your/access.log
backend  = polling
journalmatch =
maxretry = 1
findtime = 1
bantime = 86400
action = iptables-allports

Oxide · May 2, 2016

Revenge said: ↑
Filter:
Code:
[Definition]

failregex = ^<HOST> -.*WordPress.*/
Jail:
Code:
[pingback]
enabled = true
port = http,https
filter = pingback
logpath = /path/to/your/access.log
backend  = polling
journalmatch =
maxretry = 1
findtime = 1
bantime = 86400
action = iptables-allports
Click to expand...
This will not work with CloudFlare sadly.

I used to use this: Redis based IP blacklist for Nginx (LUA) · GitHub

It worked fine, redis is pretty quick.

To be more specific, i used this to limit requests using fail2ban.. I limited php requests to 15 or so.

Revenge · May 2, 2016

Why won't work behind Cloudflare? If Cloudflare sends the real IP to your server, i don't see why it wouldn't work.

Oxide · May 2, 2016

Revenge said: ↑

Why won't work behind Cloudflare? If Cloudflare sends the real IP to your server, i don't see why it wouldn't work.
Click to expand...

IP Tables does not work with nginx, the real ip is only within web server - so iptables will see cf ip's..

Oxide · May 2, 2016

eva2000 said: ↑

have you tried installing centmin mod 123.09beta01 ? or already tried ?
Click to expand...

Yes. Same issue!

nginx version: nginx/1.9.15 @ 123.09beta01

Oxide · May 2, 2016

eva2000 said: ↑

have you tried installing centmin mod 123.09beta01 ? or already tried ?
Click to expand...

And here is a $5.00 USD (DigitalOcean VPS - 1 Core - 512MB Ram). It does not run centmin and can stand online completely fine.

Reached nearly 10k r/s - same attack on centmin crashes it or something weird happens

eva2000 · May 2, 2016

Oxide said: ↑

IP Tables does not work with nginx, the real ip is only within web server - so iptables will see cf ip's..
Click to expand...

Then you're doing it incorrectly as you missed Getting Started Guide step 4 and setting correct real ip via nginx module config at Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS

Revenge · May 2, 2016

Oxide said: ↑

IP Tables does not work with nginx, the real ip is only within web server - so iptables will see cf ip's..
Click to expand...

Fail2ban will get th IP in the Access Log. That log is populated by Nginx with the real ip address

Oxide · May 2, 2016

eva2000 said: ↑

Then you're doing it incorrectly as you missed Getting Started Guide step 4 and setting correct real ip via nginx module config at Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS
Click to expand...

No. You don't know how it works then, iptables does not communicate with nginx to show the real IP. Run tcpdump to confirm this your self.

Oxide · May 2, 2016

Revenge said: ↑

Fail2ban will get th IP in the Access Log. That log is populated by Nginx with the real ip address
Click to expand...

Sure, but iptables won't block it It will be cloudflare ip still - means the traffic will still go through cloudflare like a proxy..

Log in / Register

Forums

Welcome to Centmin Mod Community

Nginx Nginx down when DDoS

Revenge Active Member

Oxide Active Member

eva2000 Administrator Staff Member

Oxide Active Member

eva2000 Administrator Staff Member

Revenge Active Member

Oxide Active Member

eva2000 Administrator Staff Member

Oxide Active Member

Ahmad Active Member

Revenge Active Member

Oxide Active Member

Revenge Active Member

Oxide Active Member

Oxide Active Member

Oxide Active Member

eva2000 Administrator Staff Member

Revenge Active Member

Oxide Active Member

Oxide Active Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

Nginx Nginx down when DDoS

Revenge Active Member

Oxide Active Member

eva2000 Administrator Staff Member

Oxide Active Member

eva2000 Administrator Staff Member

Revenge Active Member

Oxide Active Member

eva2000 Administrator Staff Member

Oxide Active Member

Ahmad Active Member

Revenge Active Member

Oxide Active Member

Revenge Active Member

Oxide Active Member

Oxide Active Member

Oxide Active Member

eva2000 Administrator Staff Member

Revenge Active Member

Oxide Active Member

Oxide Active Member

.