8

Is there any standard way to prevent shared web servers from being abused? I run a CPanel box with a few people on it, and I get the occasional person that decides to use it to DoS other websites. My current 'detection' involves looking at Munin graphs for traffic spikes, then poking around on the machine until I find the cause.

Is there any software out there to detect attacks as they happen?

I run the following: LMD - http://www.rfxn.com/projects/linux-malware-detect/ Clanscan

These do an okay job of detecting your standard C99 shell, or commonly used DoS scripts, but it doesn't detect any sort of custom stuff.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
devicenull
  • 5,572
  • 1
  • 25
  • 31
  • 1
    Time to get a better class of client. – John Gardeniers Dec 15 '10 at 02:38
  • Seriously, if you have a contractual agreement with them you can take a non-technical vector and either approach the hosting provider and see if they will suspend their account for violating their TOS (which a DDoS hopefully does). If you're in control, well, `rm -r /home/offending_user` ;) – msanford Dec 17 '10 at 02:26
  • 3
    Before I can rm -rf them, I have to know they are abusing stuff. I am the hosting provider in this case. Dealing with them once I find them is the easy part. – devicenull Dec 17 '10 at 03:01

2 Answers2

3

I think you're looking for an Intrusion Detection System (IDS), or maybe an Intrusion Prevention System (IPS). Have you looked at Snort?

JakeRobinson
  • 2,886
  • 17
  • 26
  • 1
    My understanding was that IDS/IPS was mainly focused on inbound traffic. The box isn't actually being compromised, people are voluntarily uploading scripts that run DoS attacks. – devicenull Dec 15 '10 at 02:42
  • 3
    You can do both ingress and egress filtering. – JakeRobinson Dec 15 '10 at 05:26
1

CSF/LFD (http://www.configserver.com/cp/csf.html) are fantastic (and free!) and work great with cPanel boxes. It also works just fine on non-cPanel boxes.

Takes less than 5 minutes to setup on your existing box. Tweak the defaults for your environment and it'll automatically block IPs and/or kill processes that go beyond the bounds you set, and send you an email of what it did.

PJunior
  • 230
  • 2
  • 10
Babul A. Mukherjee
  • 41
  • 3