How to detect DoS attacks / manually block IP on Ubuntu?

3

1

I have a VPS with Ubuntu. I host a small website (~10 visitors at the same time). Sometimes the website starts lagging. It lags so bad that my SSH connection starts lagging too. Running top says that 2 instances of apache2 take up 50% CPU each.

I assume this is a DoS attack. I've copy-paste installed a few iptables scripts that made sense, but this has not helped.

I installed libapache2-mod-evasive -- I'm sure it blocks the attacker, but I'm still lagging.

What can I do? Can I at least find the IP of the attacker?

I have strong experience with Linux, but almost zero experience with being a server admin.

Mikhail

Posted 2011-09-14T21:55:15.643

Reputation: 1 321

Are you serving static files or dynamic content. The lag could be due to inefficient database queries when creating dynamic content. – Stacey Richards – 2011-09-15T13:53:00.547

@Stacey, content is PHP+MySQL. I agree that it could be from that, but I know for a fact that it's not. Not only do I log slow queries, but my database server is on another VPS. More importantly CPU is used up by apache2, not mysqld – Mikhail – 2011-09-15T15:10:03.487

Do the queries return large amounts of data that take a long time for PHP to process? Do you log script execution time in addition to query times? – Stacey Richards – 2011-09-15T15:14:31.520

Answers

3

Check the Apache access log for repeated attempts by a similar IP address, /var/log/httpd/access_log is the usual location.

You may also be interested in an automated solution such as DDoS Deflate or PSAD. I'd also strongly recommend mod_security for Apache itself.

John T

Posted 2011-09-14T21:55:15.643

Reputation: 149 037

I definitely use modsec. Are there user-friendly viewers / statistic analyzers for access_log ? – Mikhail – 2011-09-15T13:01:37.490

@Mikhail there are many, AWStats being one of the bigger ones: http://awstats.sourceforge.net/

– John T – 2011-09-15T22:46:51.473

0

Have you hardened Apache or your OS?

Are you able to post any logs?

This may help a bit.

http://httpd.apache.org/docs/2.0/misc/security_tips.html

Bernie White

Posted 2011-09-14T21:55:15.643

Reputation: 140

-1

I can't suggest enough Fail2ban. It is a daemon that runs in the background and monitors all of your log files for suspicious activity and blocks the suspicious activity based on the log file errors. This means you must create the error log files in the first place, for web servers you can usually do this. I've done it for NGINX just recently, but I'm sure there's a similar directive for Apache.

ntk4

Posted 2011-09-14T21:55:15.643

Reputation: 99

Asked: 2011-09-14T21:55:15.643

Viewed: 5 322 times

Active: 2017-07-01T03:37:28.050