Portal Home > Knowledgebase > Articles Database > Daily Mini DDos ...please help!
Daily Mini DDos ...please help!
| Posted by Mauricio Grizales, 11-28-2009, 12:55 AM |
| Hi,
Every day, from different ips (about 10) someone runs an automated process:
POST /index.php?name=PNphpBB2&file=posting&sid=d5e111ff4 ea419eb (this id change)
What can I do to block it? Each day is connected with 10 different ips, and I manually lock from the CSF but can not do it every day.
It is possible that the CSF firewall to block any entrance to this url. (this is no more!)
Thank you!
Mauricio
|
| Posted by ksv2nash, 11-28-2009, 03:35 AM |
| Hi,
have done seting in CSf like following
Once CSF/LFD gets installed, edit the configuration file of CSF:
cd /etc/csf
vi csf.conf
And make CSF active by editing the file and putting a '0' in line:
TESTING = "1"
Save the file and exit the file.
The main part: Remove APF/BSD off the server by executing the command from: /etc/csf
sh /etc/csf/remove_apf_bfd.sh
Once done, restart CSF firewall to activiate it.
And if u done this then install following tools to protect from DDOS
Install Securenobody, chrootkit & Rkhunter
So your server will be more secure..
|
| Posted by mellow-h, 11-28-2009, 04:19 AM |
| It can be because that site is having a traffic hike. 10 Different IPs, don't seem to be a ddos to me.
|
| Posted by Mauricio Grizales, 11-28-2009, 09:18 AM |
| Hi,
Thanks but the problem is that just do not want to manually block these ips daily. mellow-h 10 ips running lots of POST requests take down the machine.
Thanks!
|
| Posted by ddosguru, 11-28-2009, 02:48 PM |
| Get someone familiar with shell scripting to write a cron that will pick these out of your access.log and add them to iptables.
|
| Posted by PeakVPN-KH, 11-28-2009, 08:55 PM |
| Create a block with .htaccess....
If you know the 10 IP's you could just block those as well. You don't have to do it daily unless you're rebooting every day, at that point just create a firewall script.
|
| Posted by Ankheg, 11-28-2009, 09:47 PM |
| This is for a forum, right? Running on Apache?
Make a rewrite rule which blocks all POST requests that don't have the domain.tld in the referer field.
|
| Posted by soulhunter, 11-29-2009, 01:14 AM |
| Hi!
Maybe not DDoS, maybe an attempt to spam your forum (assuming it is a forum). it is very common.
Now, about the "take down the machine", you should verify the configuration of the services, according to the size of the server (ie, optimize your server).
I this helps,
Ildefonso Camargo
|
| Posted by bizness, 11-29-2009, 01:22 AM |
| do you see 1000s of connections from these random IPs?
|
Add to Favourites 
Print this Article
Also Read
