Bot Net / D dos Attack

H

hostparlor

Active Member
#1
#1
I can't seem to fight off these attacks for nothing, as soon as i ban ips manually with csf more come and its crazy. The firewall is banning them and im banning them, i get the load down a little bit and then it just spikes back up..... i have already set all the mass connections and everything..

top - 14:59:22 up 9:32, 2 users, load average: 6.40, 7.88, 8.12
Tasks: 115 total, 2 running, 113 sleeping, 0 stopped, 0 zombie
Cpu(s): 53.8% us, 15.4% sy, 0.0% ni, 30.8% id, 0.0% wa, 0.0% hi,
Mem: 2074940k total, 1243580k used, 831360k free, 91508k buff
Swap: 2031608k total, 0k used, 2031608k free, 864276k cach

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
16641 nobody 16 0 21972 7932 3916 S 45.6 0.4 0:01.70 lsphp
3133 mysql 15 0 124m 25m 3992 S 22.8 1.3 19:57.57 mysqld
4813 root 15 0 2364 988 764 R 7.6 0.0 0:02.82 top
1 root 16 0 2500 548 468 S 0.0 0.0 0:00.68 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.01 ksoftirq
3 root 5 -10 0 0 0 S 0.0 0.0 0:00.03 events/0
4 root 8 -10 0 0 0 S 0.0 0.0 0:00.01 khelper
5 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 kacpid
20 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kblockd/
21 root 15 0 0 0 0 S 0.0 0.0 0:00.00 khubd
38 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pdflush
39 root 15 0 0 0 0 S 0.0 0.0 0:01.74 pdflush
40 root 25 0 0 0 0 S 0.0 0.0 0:00.00 kswapd0
41 root 10 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
187 root 25 0 0 0 0 S 0.0 0.0 0:00.00 kseriod
412 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 ata/0
413 root 7 -10 0 0 0 S 0.0 0.0 0:00.00 ata_aux
428 root 15 0 0 0 0 S 0.0 0.0 0:15.08 kjournal
1595 root 6 -10 3020 448 360 S 0.0 0.0 0:00.01 udevd
2019 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 kauditd
2131 root 21 0 0 0 0 S 0.0 0.0 0:00.00 kjournal
2691 root 0 -20 0 0 0 S 0.0 0.0 0:00.96 loop0
2692 root 15 0 0 0 0 S 0.0 0.0 0:00.20 kjournal
2947 root 15 0 2404 536 448 S 0.0 0.0 0:08.26 syslogd
2951 root 16 0 2040 384 320 S 0.0 0.0 0:00.14 klogd
2969 root 16 0 2060 296 236 S 0.0 0.0 0:00.02 courierl
2970 root 16 0 3840 616 500 S 0.0 0.0 0:00.00 authdaem
2999 root 16 0 3840 376 248 S 0.0 0.0 0:00.06 authdaem
3000 root 16 0 3840 376 248 S 0.0 0.0 0:00.06 authdaem
3001 root 16 0 3840 376 248 S 0.0 0.0 0:00.05 authdaem
3002 root 15 0 3840 380 252 S 0.0 0.0 0:00.05 authdaem
3003 root 16 0 3840 376 248 S 0.0 0.0 0:00.05 a
Click to expand...
---------------------


Also some customers are trying to run cron jobs and there not seeming to run unless they execute them from there computer.
iwget -O pgame_cron1 http://www.thedunewars.net/pptcron123456.php

that is the cron they are trying to run.
 
Last edited:
M

mistwang

LiteSpeed Staff
#2
#2
Maybe you need to build your own lsphp binary to include all required PHP modules. checkout our wiki for tutorials.

You can write a shell script or whatever script language you prefer, to parse lsws/logs/error.log, looking for IP addresses hit the "Connection hard limit", automatically ban those IPs with the firewall. You can also ban IP hits the "Soft Limit", but there might be false alarms.
 
H

hostparlor

Active Member
#4
#4
Found 2 warning/error messages in the log: More
Time Level Message
2007-11-08 16:06:58.549 ERROR Apache Handled Content CANNOT be enabled, it requires running Apache parallel to LiteSpeed,which means you need to set 'Apache Port Offset' or 'Apache IP Offset' to a non-zero value.
2007-11-08 16:06:58.555 ERROR [[HTAccess]] rewrite: unknown server variable while parsing: PHPSESSID
---------------


Need help with that to....i ask alot of questions don't i
 
M

mistwang

LiteSpeed Staff
#6
#6
hostparlor said:
2007-11-08 16:06:58.549 ERROR Apache Handled Content CANNOT be enabled, it requires running Apache parallel to LiteSpeed,which means you need to set 'Apache Port Offset' or 'Apache IP Offset' to a non-zero value.
2007-11-08 16:06:58.555 ERROR [[HTAccess]] rewrite: unknown server variable while parsing: PHPSESSID
---------------
Click to expand...
You should remove the configuration value for "Apache Handled Content", the second one can be ignored.
 
You must log in or register to reply here.
Top