Welcome to Centmin Mod Community
Become a Member

Nginx Nginx down when DDoS

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Oxide, Apr 18, 2016.

  1. pamamolf

    pamamolf Premium Member Premium Member

    3,477
    335
    83
    May 31, 2014
    Ratings:
    +642
    Local Time:
    2:58 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    yes :)

    Just looking for a way to try to stop layer 7 attacks :)
     
  2. Revenge

    Revenge Active Member

    443
    92
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +333
    Local Time:
    12:58 AM
    1.9.x
    10.1.x
    I don't use email alerts with fail2ban. I don't see a need for it.

    I have alerts configured for load thought. If the load of my server rises to a value told, it will send me an email.
     
  3. pamamolf

    pamamolf Premium Member Premium Member

    3,477
    335
    83
    May 31, 2014
    Ratings:
    +642
    Local Time:
    2:58 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Using a third part alert system or you do it on the server?
     
  4. cloud9

    cloud9 Active Member

    140
    54
    28
    Oct 6, 2015
    England
    Ratings:
    +75
    Local Time:
    12:58 AM
    1.11.x
    10.x
    Just google "high server load email alert bash script" - quite a few out there
     
    • Like Like x 1
  5. Revenge

    Revenge Active Member

    443
    92
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +333
    Local Time:
    12:58 AM
    1.9.x
    10.1.x
    I use New Relic ;)
     
    • Agree Agree x 1
  6. cloud9

    cloud9 Active Member

    140
    54
    28
    Oct 6, 2015
    England
    Ratings:
    +75
    Local Time:
    12:58 AM
    1.11.x
    10.x
    Amplify is nice for NGinx
     
    • Agree Agree x 1
  7. eva2000

    eva2000 Administrator Staff Member

    41,718
    9,390
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,424
    Local Time:
    9:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Like Like x 1
  8. cloud9

    cloud9 Active Member

    140
    54
    28
    Oct 6, 2015
    England
    Ratings:
    +75
    Local Time:
    12:58 AM
    1.11.x
    10.x
    I used to use nodequery, gave up with it in the end, too many false positive and found it unreliable, found amplify so far to be excellent, just waiting for it to become paid for (like mandrill did)
     
    • Agree Agree x 1
  9. eva2000

    eva2000 Administrator Staff Member

    41,718
    9,390
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,424
    Local Time:
    9:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yeah nodequery has more false positives for downtime alerts but rest is okay i.e. cpu/mem etc

    nixstats i like the most :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    41,718
    9,390
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,424
    Local Time:
    9:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Informative Informative x 1
  11. pamamolf

    pamamolf Premium Member Premium Member

    3,477
    335
    83
    May 31, 2014
    Ratings:
    +642
    Local Time:
    2:58 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Nixstats is looking good but the site is very slow :(
     
  12. Simon Brown

    Simon Brown Member

    41
    5
    8
    Feb 9, 2017
    Ratings:
    +17
    Local Time:
    12:58 AM
    1.11.9
    Hi People,
    Just want to let people know the Pinterest Bot it insane these days. It was using a tonne of CPU as it crawled a couple of sites. In fact, it ended up being Blocked by Cloudflare. I've included it in the bot filter and set it to '2' so I'll keep monitoring it.

    This is a great command you can try if you are/have been/or suspect you've been Brute Farce/DDoS attacked.

    View top 20 URL's being hit on ALL your websites by single IP's:
    grep "`date +%d/%b/%Y`" /home/nginx/domains/*/log/access.log | awk '{print $1, $6 "" $7}' | sort | uniq -c | sort -gr | head -n 20

    Using the above command will show something like this:

    Hits | Access log | IP | URL Request

    • 14922 /home/nginx/domains/{domain.com}/log/access.log:5.8.18.14 "GET/rss/catalog/notifystock/
    • 9780 /home/nginx/domains/{domain.com}/log/access.log:85.93.20.66 "GET/rss/catalog/notifystock/
    • 5520 /home/nginx/domains/{domain.com}/log/access.log:181.214.87.21 "GET/rss/catalog/notifystock/

    As you can see I was hit by a known attack on a known Magento Brute Force Attack URL. Then you can check the suspicious IP's here before you block them:
    5.8.18.14 | CloudBS Ltd. | AbuseIPDB
     
    • Informative Informative x 3
  13. eva2000

    eva2000 Administrator Staff Member

    41,718
    9,390
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,424
    Local Time:
    9:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x