Quoting Jake Vickers <j...@qmailtoaster.com>:
On 07/23/2011 12:03 PM, Eric Shubert wrote:
On 07/23/2011 08:35 AM, Jake Vickers wrote:
On 07/23/2011 07:35 AM, Jake Vickers wrote:
I have the wiki offline for a while this weekend. Seems whenever I
bring it online, apache2 gets hammered until the box becomes
unresponsive. I am moving some things to a new server, but I need to
think about what to do about this as well.
I will post again when there is an update or it's been moved.
The wiki should be back online now at the new IP address - I think I
found the IP that was ddos'ing the wiki and have blocked it. I have also
added in a few items that should help prevent this in the future. Be
aware that if you perform 300 wgets in 300 seconds against the wiki, you
will be blocked for 10 minutes. If your IP does it again, you're blocked
for good.
---------------------------------------------------------------------------------
Out of curiosity, what'd you do/use to achieve that block?
There was someone on the spamdyke list asking about how to perhaps
throttle/block spammers with smtp 25/587 access (authenticated).
If you want a hammer, you can iptables it - here's one I use on some
server to prevent hammering on port 25:
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -m
recent --update --seconds 60 --hitcount 10 --name DEFAULT --rsource
-j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -m
recent --set --name DEFAULT --rsource
So the above blocks any IP trying more than 10 connections in 60
seconds on port 25.
For the one I'm using specifically for the wiki, I'm using fail2ban
to filter this. You could easily set it up to never "full ban", and
only throttle for specific periods of time. Here's what I'm using
for the wiki page:
//jail.conf
[http-get-dos-wiki]
enabled = true
port = http,https
filter = http-get-dos-wiki
logpath = /var/log/apache2/wiki.qmailtoaster.com-access.log
maxretry = 300 # Count the number of connections
findtime = 300 # The timeframe we count the above
bantime = 600 # How long we ban for
action = iptables[name=HTTP, port=http, protocol=tcp]
//filter.d/http-get-dos-wiki.conf
# Fail2Ban configuration file
[Definition]
# This regex will match all GET entries in the wiki logs, so
basically all requests match.
# Controlling how many/how often a hsot connects before we term it
"bad" is controlled in the jail.conf file.
failregex = ^ -.*GET
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
I'm assuming this was why I couldn't view the wiki yesterday. I just
hope it wasn't my IP doing something silly. LOL
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
