Re: Apache in under attack. [EXT]

Jason Long <hack3rcon@xxxxxxxxxxxxxxxxxxxxx> · Tue, 12 Jan 2021 10:44:58 +0000 (UTC)

Fail2ban show me:
https://paste.ubuntu.com/p/PsxM8yPXPQ/

On Tuesday, January 12, 2021, 01:47:28 PM GMT+3:30, James Smith <js5@xxxxxxxxxxxx> wrote: 

That's one shed load of modules - when I run it on my dev server I have - you should really go through the modules and work out which ones you are actually using:

Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
alias_module (shared)
apreq_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
cgi_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
filter_module (shared)
headers_module (shared)
include_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
perl_module (shared)
php7_module (shared)
proxy_module (shared)
proxy_ftp_module (shared)
proxy_http_module (shared)
rewrite_module (shared)
setenvif_module (shared)
status_module (shared)

-----Original Message-----
From: Jason Long <hack3rcon@xxxxxxxxx.INVALID> 
Sent: 12 January 2021 10:06
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  Apache in under attack. [EXT]

Modules are:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_DJSWpSP7xZ_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=puY-fTQsV1ysiCnOpy4EHYLVx0o9AIycA5oenO7FFMM&s=gP5iBUkwbSUx03jK4ekkBLEDcX-4sn9jg_x70ubMVto&e= 

On Tuesday, January 12, 2021, 01:26:48 PM GMT+3:30, James Smith <js5@xxxxxxxxxxxx> wrote: 

Can't see anything that should blow up like that to be honest - I usually use ubuntu - which configures apache in a much, much nicer way {generally for web development stuff it is a better flavour of linux}

What is the output of:

apache2 -t -D DUMP_MODULES

to see what modules you have installed

-----Original Message-----
From: Jason Long <hack3rcon@xxxxxxxxx.INVALID> 
Sent: 12 January 2021 09:43
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  Apache in under attack. [EXT]

Apache configuration is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_RTC2WWMdYH_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=vfUjay2MefOK73RFk6G5pssz7eGw-Ob55yOQx481hqg&e= 

And "www.conf" is:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_S9q5Kwpfcc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=uApEZIkpUO0y48_zhQm_bX5ZxjS3vNu6KeVj7i2HsxY&e= 

And other settings:
https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_NydSyZghJ8_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=hCmp9X0YJvHspWfZjumxg71LTaVemwxCOZWIO7TZBbU&e= 

Which one is not OK?

On Tuesday, January 12, 2021, 12:23:52 PM GMT+3:30, Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote: 

It show me:

13180 X.X.X.X
   1127 X.X.X.X 
    346 X.X.X.X 
    294 X.X.X.X 
    241 X.X.X.X 
    169 X.X.X.X 
    168 X.X.X.X
    157 X.X.X.X
    155 X.X.X.X
    153 X.X.X.X

On Tuesday, January 12, 2021, 07:12:22 AM GMT+3:30, Bender, Charles <charles@xxxxxxxxxxxxxxx.invalid> wrote: 

Run this against your log file in bash shell

cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

This will show you most frequent IPs, sorted in descending order. Block as needed

On 1/11/21, 7:11 PM, "Jason Long" <hack3rcon@xxxxxxxxx.INVALID> wrote:

    Can you help me? 

    On Tuesday, January 12, 2021, 03:36:30 AM GMT+3:30, Nick Folino <nick@xxxxxxxxx> wrote: 

    Concentrate on just one...

    On Mon, Jan 11, 2021 at 7:02 PM Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote:
    > It is a lot of IP addresses !!!
    > 
    > 
    > 
    > 
    > 
    > 
    > On Tuesday, January 12, 2021, 03:30:02 AM GMT+3:30, Nick Folino <nick@xxxxxxxxx> wrote: 
    > 
    > 
    > 
    > 
    > 
    > How to find pattern:
    > Look at log.
    > Find bad things that are similar.
    > 
    > Then:
    > Block bad things from reaching web server.
    > 
    > On Mon, Jan 11, 2021 at 6:49 PM Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote:
    >> How to find pattern?
    >> Log show me: https://urldefense.proofpoint.com/v2/url?u=https-3A__paste.ubuntu.com_p_MjjVMvRrQc_&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=pLIjlRP7JUm_jEPmNULbyhTpZMfuLrh5r0lK7t7Wn7g&e= 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> On Tuesday, January 12, 2021, 03:06:12 AM GMT+3:30, Filipe Cifali <cifali.filipe@xxxxxxxxx> wrote: 
    >> 
    >> 
    >> 
    >> 
    >> 
    >> Yeah it's probably not going to matter if you don't know what's attacking you before setting up the rules, you need to find the patterns, either the attack target or the attackers origins. 
    >> 
    >> On Mon, Jan 11, 2021 at 8:26 PM Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote:
    >>> I used a rule like:
    >>> 
    >>> # firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="80" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
    >>> 
    >>> But not matter.
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> On Tuesday, January 12, 2021, 02:47:01 AM GMT+3:30, Filipe Cifali <cifali.filipe@xxxxxxxxx> wrote: 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> 
    >>> You need to investigate your logs and find common patterns there, also there are different tools to handle small and big workloads like you could use iptables/nftables to block based on patterns and number of requests. 
    >>> 
    >>> On Mon, Jan 11, 2021 at 8:06 PM Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote:
    >>>> Hello,
    >>>> On a CentOS web server with Apache, someone make a lot of request and it make slowing server. when I disable "httpd" service then problem solve. How can I find who made a lot of request?
    >>>> [url]https://urldefense.proofpoint.com/v2/url?u=https-3A__imgur.com_O33g3ql-5B_url-5D&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=lEeMNZprno3dAD_-vQP5HrFJEcj8DIYk1YvwqbfSOoI&s=xhD5gmWVf2E5_eScXEzWEDDLoztUMgj7kLGoHVJREIE&e= 
    >>>> Any idea to solve it?
    >>>> 
    >>>> 
    >>>> Thank you.
    >>>> 
    >>>> ---------------------------------------------------------------------
    >>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    >>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
    >>>> 
    >>>> 
    >>> 
    >>> 
    >>> -- 
    >>> [ ]'s
    >>> 
    >>> Filipe Cifali Stangler

    >>> 
    >>> 
    >>> ---------------------------------------------------------------------
    >>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    >>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
    >>> 
    >>> 
    >> 
    >> 
    >> -- 
    >> [ ]'s
    >> 
    >> Filipe Cifali Stangler

    >> 
    >> 
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
    >> 
    >> 
    > 
    > 
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
    > 
    > 

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

-- 
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx