Apache2 wird geflooded

[DjTom-i]

Moin moin,

seit einigen Tagen habe ich immer wieder floods meines Servers.

Nun ja, ich gebs zu: Iptables ist für mich absolutes Neuland und ich will mich auch nicht ausschliessen weil ich keine Konsole dort habe

Ich fange mal langsam an:

Debian 3.1
Apache 2.0.54
Php 4.4.3

Womit fange ich am besten an?

apache2.conf

# Timeout: The number of seconds before receives and sends time out.

Timeout 60

# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.

KeepAlive On

# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.

MaxKeepAliveRequests 100

# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.

KeepAliveTimeout 15

##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers ......... number of server processes to start
# MinSpareServers ...... minimum number of server processes which are kept spare
# MaxSpareServers ...... maximum number of server processes which are kept spare
# MaxClients ........... maximum number of server processes allowed to start
# MaxRequestsPerChild .. maximum number of requests a server process serves
<IfModule prefork.c>
StartServers         15
MinSpareServers      15
MaxSpareServers     150
MaxClients          150
MaxRequestsPerChild  20000
</IfModule>

Den Timeout habe ich schon von 300 auf 60 Sekunden runtergesetzt.

max_execution_time = 30     ; Maximum execution time of each script, in seconds
max_input_time = 30 ; Maximum amount of time each script may spend parsing request data
memory_limit = 50M      ; Maximum amount of memory a script may consume (8MB)

max_execution_time habe ich nun von 90 auf 30 runtergesetzt
max_input_time von 60 auf 30

Kurz nachdem der Load runter gegangen ist sieht
netstat -aln | grep :80 | less
so aus:

tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4277 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4278 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:68.142.251:33426 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:3735 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:3728 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.1:22222 ::ffff:80.144.211:34291 VERBUNDEN
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:1268 VERBUNDEN
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:1264 VERBUNDEN
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:3570 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:3556 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4053 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4052 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:68.142.251:51641 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:3901 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:68.142.251:51284 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:3892 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:3383 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:68.142.249:43629 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4904 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:207.46.98.:56191 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4897 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:72.30.101.:56094 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4457 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4456 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:68.142.250:36388 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:207.46.98.:51771 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:68.142.249:40477 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:68.142.251:53332 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4697 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4696 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:1111 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:1105 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4168 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:68.142.249:43528 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:3399 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:216.255.189:4167 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:82.82.176.:65075 TIME_WAIT
tcp6       0      0 ::ffff:123.123.123.123:80  ::ffff:82.82.176.:65078 TIME_WAIT

Meinen Host habe ich hier mit 123.123.123.123 auskommentiert.

Was braucht Ihr noch an Logs oder confs?

Ich muß dazu sagen das der Host/die Boards gut besucht ist/sind und er normal selbst bei 500-900 Usern Online mit einem Load von 0.6-0.8 läuft .

Der Load geht bei der Attacke auf über 70 hoch und netstat -a gibt mir eine Liste die wahrscheinlich bis Paris reicht...

Danke im Voraus.

 

[tty0]

Wenn es Apache betrifft, dürfte dir mit mod_security ausgeholfen werden normalweise.

Gruß,
Thilo

 

[Huschi]

KeepAlive On

Versuch es mal testweise mit Off.

huschi.

 

[DjTom-i]

Danke erstmal für die Infos.

Habe nun mod_evasive2 und mod_security installiert.

Wer es mal brauchen sollte:

http://www.modsecurity.org <-- Hier gibts den mod

http://www.gotroot.com/tiki-index.php?page=mod_security+rules <-- Hier gibts ein wenig Futter für den Mod.

Bin mal gespannt ob es nun aufhört, denn heute waren die Angriffe schon alle zwei Stunden.