Apache server running at nearly 100% - apache

We have just moved our web apps to a self hosted site on digital ocean, vs our previous web host. The instance is getting hammered by rpm's according to New Relic but we are seeing very few page views. Throughput RPM's are around the 400rpm stage where as we only have about 1 page view per minute.
When i look at the access log it is getting hammered with what i am guessing is spambots, trying to access the non existant downloads folder. Its causing my CPU to run at 95%, even though nothing is actually happening.
How can i stop this spamming access??
So far i have created a downloads folder and put a Deny All in a htaccess file in it. That appeared to cool things down but now its getting worse again (hence the desperate post)

Find a pattern of malevolent requests and restrict the IP they are coming from.
Require a hashed headrt to be provided for each request to verify the identity of the person/group wanting access.
Restrict more than N downloads to any IP over M time threshold.
Distribute traffic load via DNS proxying to multiple hosts/web servers.
Switch to NGINX. NGINX is more performant than Apache in most cases with "high-levels" of requests. See Digital Ocean's article --> https://www.digitalocean.com/community/tutorials/apache-vs-nginx-practical-considerations.
Make sure your firewall employs a whitelist of hosts/ports. NOT *

I'd use tables to drop any connection from the spam bot ip address.
Find which ips are connected to your apache server:
netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
You should get something like:
20 49.237.134.0
10 31.187.6.0
15 166.137.246.0
Once you find the bot ip addresses (probably the ones with higher number of connections), use iptables to DROP further connections:
iptables -A INPUT -s 49.237.134.0 -p tcp --destination-port 80 -j DROP
iptables -A INPUT -s 31.187.6.0 -p tcp --destination-port 80 -j DROP
iptables -A INPUT -s 166.137.246.0 -p tcp --destination-port 80 -j DROP
Note:
Make sure you're not dropping connections from search engine bots like google, yahoo, etc...
You can use www.infobyip.com to get detailed information about a specific ip address.

Related

Can autossh be used to monitor "ssh -D" local dynamic port forwarding (SOCKS proxy)? If so, how? If not, alternatives?

When I'm teleworking, I need to access some internal web servers. I use ssh -f -N -D 4000 someserver.mywork.com on my home computer to setup local dynamic port forwarding. Then, I configure my web browser to use localhost port 4000 as a SOCKS host, and everything works great, even with HTTPS.
The problem is that the proxy stops working every couple of days. When this happens, the ssh process prints messages like the following:
accept: Too many open files
In this scenario, I have to kill the ssh process and restart it in order to get it working again. Based on my research into this error message, I could increase the limit on the number of open files, but that doesn't seem like a permanent or an ideal solution.
I was hoping autossh might be able to monitor the connection and restart it automatically. Is that possible?
I have tried the following command:
autossh -f -M 0 -N -D 4000 someserver.mywork.com
But it didn't work. The proxy stopped working, and autossh did not restart it. Any suggestions or alternative solutions to automatically restarting my ssh proxy?

tcp flood attack not works with hping3

i want to do a dos attack to a website in my virtual machine. i use hping3 for that .
sudo hping3 -i u1 -S -c 9999999999 192.168.58.3
in this ip address i have an apache server and a DVWA. when i input this ip address to the browser i see two folder : DVWA and html . when i choose DVWA i see the website.
my problem is than althogh i use hping3 for attack and i want the website get down but the website not down and when i ping this ip address ttls are like when attack not occured. i search a lot and do all works i think . i don't know what is the problem. please help me. thanks
Try this:
$ sudo hping3 -i u1 -S -p 80 192.168.58.3
S - indicates SYN flag
p 80 - Target port 80
i u1 - Wait for 1 micro second between each packet
This would send TCP SYN packets to 192.168.58.3.

iptables still blocking server, even after removing

I'm having a bit of an issue with a Virtual Machine (VM) I have. Basically, I was trying to log into FTP on my web-server, but forgot the logins. As such, it has now blocked the VM's IP. I found it with:
iptables -L -n --line | grep "xxxxx"
Turns out it was blocked in the ALLOWIN and ALLOWOUT chains. So, I removed it with:
iptables -D ALLOWIN -s x.x.x.x -j DROP
iptables -D ALLOWOUT -s x.x.x.x -j DROP
The saved the config:
service iptables save
I even tried a reboot , using:
/etc/init.d/iptables restart
Then I try it on the VM, but it times out:
D:\Users\Andy>ping chambresdhotes.org
Pinging chambresdhotes.org [216.38.63.234] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 216.38.63.234:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
I'm at a bit of a loss as to what else I can try. Any suggestions are much appreciated.
FWIW, I have also done an:
iptable -L | grep 123.123.123.123
..but it gives no results (which I assume means there are no matching rules!)
Ok, I'm deciding if I should delete this question or not - but think it may be good to leave up, in case anyone else has a similar issue.
I found the problem. The VM is with Amazon, so I thought I'd just do a search for "amazon" in the iptable -L. Turned out there was an IP that was blocked:
LOGDROPOUT all -- anywhere ec2-52-210-49-189.eu-west-1.compute.amazonaws.com
I removed that one from both the DENYIN and DENYOUT, saved + restarted iptables, and voila... it works now!

Count connections using netstat on cPanel user through ssh

I want to know how many connections there are active to my site wich is on a shared hosting account.
The hosting provider is using cPanel and I can access it through ssh.
The problem is if I run the command:
netstat -tuna | wc -l
It returns a wild 2555 connection count, but when I go to google analytics and access the real time section, there are only 15-20 users active.
My question is are those 2555 connections to my site, or to the server as a whole regardless the user I am using to run the command. (I don't have root access).
Your netstat command is showing the all connection of your server NOT only Apache connection, If you want to check only Apache connection. You will have to user following command.
netstat -anp |grep 80 |wc -l
But with the above command you will get total numbers of Apache connection. Your site is hosted on shared server and due to that you can not check your site connection.
To check our site connection your will have to assign dedicated IP to your site and use that IP in above command to check your site Apache connection
netstat -anp |grep 80 |grep 1.1.1.1 | wc -l
Thanks

loadbalancing with --random option with iptables

I'm doing some loadbalancing testing with iptables by doing som portredirect on several ports on my server. i'm a bit curios how does the --random option work with the REDIRECT option?
is it using some kind of round robin algoritm? there doesn't seem to be any info about this in the man pages..
this is the iptable rule i'm using right now:
-A PREROUTING -d 10.10.10.1/32 -i eth0 -p udp -m udp --dport 5000 -j REDIRECT --to-ports 1194-1197 --random
also using this iptable rule will it take up alot of performance on the server? because I will have alot of traffic passing thorough the server.
The distribution is truly random, and it should not eat many resources by itself.
I am afraid about the utility of this spreading. Do you have e.g. 4 CPUs and 4 processes, each one listening to one port in 1194-1197 range?