DoS attacks

hi all -

i am trying to come up with a decent response to these denial-of-service attacks i keep getting, mainly going after my wordpress sites.

but then i got to thinking (uh oh!) about some thing set to run every miinute or two that looked something like this:

grep $(date -d ‘1 minute ago’ +%d/%b/%Y:%H:%M) /var/log/virtualmin/_access_log
| sed -e 's/ - -.
| sort
| uniq

so i might end up seeing a format that looks like this:

domain name : IP NBR : number of requests

then maybe i can see if there have been more than 20 or so requests in the past minute, and if so, write the IP## into the csf.deny file.

any thoughts on this? usually when us newbies think of something this simplistic, one of the master wizards always has a better idea.

Grepping through all of the Apache access logs every minute would quite probably put more load on your server than any DoS on your Wordpress. :wink:

If you’d like to go for filtering by analysis of logs, you should start out with “logtail”, which is a tool that outputs that part of a file that was changed (appended) since the last run.

For your purpose, i.e. preventing script kiddies from flooding your web site admin pages, I personally use mod_qos and drastically limit the number of requests per second to the respective URL. Combine that with an additional .htaccess password on the admin directory. This should work better than adding IPs to deny files, which is like tilting at windmills (i.e. the deny file will fill up with IPs that your system will probably see only once and never again).

excellent suggestion ! but then again, we have come to expect that in this forum…!

since its late and i cant think clearly when its late, could i ask for a tip or two on how to implement mod_qos in virtualmin ? or would this be done outside of virtualmin ?

:smiley: Late night admin is indeed not a good idea.

Indeed Virtualmin doesn’t immediately configure mod_qos. You’d download it via your package manager (it should be available there, if not already installed), and activate it through Webmin’s Apache module.

Detailed documentation about its directives you find here:

NOTE: In the following code excerpts, “[em]” needs to be an asterisk! The forum software here thinks I want to format something in italics and replaces the asterisks.

I personally have for one a global limit for concurrent connections and connections per second to any given URL from all clients cumulative, in /etc/apache2/mods-available/qos.conf:

QS_LocRequestLimitMatch ^.\*$ 100 QS_LocRequestPerSecLimitMatch ^.\*$ 10

“LimitMatch” is a hard limit to 100 global connections to any given URL. “RequestsPerSec” operates by inducing increasing delays if the number of requests per second given is exceeded.

Then, for specific “flooding-prone” URLs I have per-client limits. I.e. each remote IP can only have a certain number of concurrent requests before delay is induced:

SetEnvIfNoCase Host DOMAIN1\\.TLD QS_Event=yes SetEnvIfNoCase Host DOMAIN2\\.TLD QS_Event=yes QS_ClientEventPerSecLimit 2

Mind the “\.”, those lines are regular expressions.

Then, for specific URLs in certain domains (primarily administration pages of CMSes that sometimes get dictionary-attacked), I have this in the domain’s virtual host configuration:

QS_LocRequestLimitMatch ^/administrator.\*$ 10 QS_LocRequestPerSecLimitMatch ^/administrator.\*$ 1 QS_LocRequestLimitMatch ^.\*$ 30 QS_LocRequestPerSecLimitMatch ^.\*$ 5

This limits requests to URLs starting with “/administrator” to 10 global, and 1 per second. Other URLs of that domain are limited to 30 requests global and 5 per second. This is client-global, not per client IP.

wow! even us brain-dead admin’s can issue this extraordinarily complicated line:

yum install mod_qos ;

but really, all i need to do is to slow down the access to the wordpress logins that like to hit /wp-login.php - dont suppose i could sweet-talk you into boiling down your comprehensive answer to tailor it to my situation? you would have my gratitude. and that might be just enough to keep us out of Syria.

side-question: i can only assume that anybody that uses a name like ‘Locutus’ is probably just enough of a sci-fi buff to name a book with a near-identical sub-title as the movie “Dr Strangelove”. would this be a correct assumption?

Okay, for that you’d put something like this in the virtual host file of the domain in question (via “Services / Configure Website / Edit Directives”).

QS_LocRequestLimitMatch ^/wp-login.php 10 QS_LocRequestPerSecLimitMatch ^/wp-login.php 1

You might need to fiddle with the parameters a bit.

Also, if you’d like a statistic page for your QOS module, add this to /etc/apache2/mods-available/qos.conf:

<Location /qos> SetHandler qos-viewer Order deny,allow Deny from all Allow from </Location>

Replacing the IP with the IP from which you want to enable access. Should be IP-restricted for security reasons; I’m not sure if it’s possible to add password authentication to handler locations.