I have a virtualmin box that had a penetration test last week, and it was reported to be vulnerable to a SlowLoris attack, BEAST attack, and CRIME attack.
It is a Redhat Enterprise 6.3 OS, fully up to date. We update it every week.
What can I do to block does attacks?
Thanks a lot,
I suspect that you’re not getting answered because this is not a virtualmin question.
All of these are attacks on your webserver, apache. I would ask the people who conducted your penetration test where the best place to go look for information would be.
Above that - I’d also say that protecting against DOS attacks is nowhere near as essential as other forms of security. Being DOS’ed is having your site go down. Not good, but your damage is limited to that, you don’t lose data or become a conduit for Spam, and generally these attacks let up fairly soon. If you are being criminally blackmailed, your ISP and the FBI can actually help.
Everyone I know who’s run a server for a long time has been hacked, rooted or otherwise compromised at some point in their careers. I don’t know anyone who’s been DOS’ed.
I think a perfectly reasonable strategy for nearly all small- and medium-sized organizations is to simply ignore the possibility of DOS’ing until and unless it actually happens.
If the only vulnerabilities your server has is to DOS, then you’re in excellent shape. Change nothing.
Hello Tom, thanks a lot for your comments.
Yes, I´m very concerned about security. I use the CSF firewall from http://configserver.com/, and it has helped a lot. One of my customers website was a target for a distributed DOS attack once, I was able to block it denying the attackers IPs, it was a lot of work, and CSF helped a lot that day (around 300 IPs).
I did a bit of research and I know is not a trivial task to block DOS attacks, so I posted here looking for some advice.
The customer that sent me the report is a big company in Brazil, and it would be bad for my company to answer something like “when it happens we will see what we can do”. I have to make a least a few precautions to try to avoid the attack.
My main concern is the SlowLoris attack, because it seems to be an easy attack to perform. It leaves a connection open on Apache holding its resources.
Is there any configuration that can be done in Apache to prevent this? Or a module?
Thank you very much
As I said - this NOT the right site to ask this question!
I believe this issue should a concern for everyone that has a Virtualmin box, so I don’t think it is so wrong to post it here.
But anyway, I’m sorry, I’ll seek for help somewhere else.
While you are quite welcome to post sysadmin related questions here, I’m not entirely certain of the answers to those.
I think some of them may simply be SSL cipher related though. For example, I Google’d “Apache beast”, and came up with this link, showing SSL ciphers to configure Apache with:
Yes, I’ve seen that one. I’ll search for solutions and will try to implement them.
When I’m done I’ll post my findings here for future reference.
For reference, to block the Anti Loris there is an Apache module that does it.
To install it on Centos 6.3 I used the instructions bellow:
install the APache eXtenSion tool (apxs from httpd-devel)
yum install httpd-devel
download the antiloris apache module
untar the installer
tar -xvjf mod_antiloris-0.4.tar.bz2
install the module
apxs -a -i -c mod_antiloris.c
restart the apache
service httpd restart
check whether mod_antiloris is loaded properly
I have had experience where at least once a week I had to restart the server when it started acting very slow. looking at my apache logs I saw one my busier virtual website was getting overwhelmed with request coming from a web crawler. Searching online for a solution I found this http://www.howtoforge.com/how-to-defend-slowloris-ddos-with-mod_qos-apache2-on-debian-lenny. After I installed it on my Debian box the problem went away. This might also help.