Skip to main content

Very high CPU loads from brute force attempts - CSF/LFD

Comments

14 comments

  • kodeslogic
    From the output you shared, it seems an attack from multiple IPs, you should reach out to your data center or server provider, as they have specialized equipment to put in place to help mitigate the attack until it slows down or dies off. Other options: - Using CDN or external firewall services such as Cloudflare can help buffer traffic to the server. OR - Consult a
    0
  • cPRex Jurassic Moderator
    I would also recommend an external tool. If you try and handle this locally, you'll still need to use your server's CPU processing power to handle the traffic. An external solution would completely remove your CPU from the equation, and your hosting provider likely has an external firewall or DoS prevention tools available.
    0
  • msklut
    We've had the VPS configured with CSF and cPhulk for several years now with no issues until now. Are there any Mod_Security rules or anything like that you would recommend looking at?
    0
  • cPRex Jurassic Moderator
    mod_security wouldn't handle that type of traffic, as that watches uploads through the web and not brute force attacks.
    0
  • msklut
    mod_security wouldn't handle that type of traffic, as that watches uploads through the web and not brute force attacks.

    Look at the logs below. It shows Mod_Security rules are working to block the following... Message: Access denied with code 406 (phase 1). Pattern match "Mozilla/5.0 \\(X11; Ubuntu; Linux x86_64; rv:62\\.0\\) Gecko\\/20100101 Firefox\\/62\\.0" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"> [line "1"> [id "91996789"> [msg "BAD UA BLOCK"> Apache-Error: [file "apache2_util.c"> [line 271] [level 3] [client 80.253.246.193] ModSecurity: Access denied with code 406 (phase 1). Pattern match "Mozilla/5.0 \\\\\\\\(X11; Ubuntu; Linux x86_64; rv:62\\\\\\\\.0\\\\\\\\) Gecko\\\\\\\\/20100101 Firefox\\\\\\\\/62\\\\\\\\.0" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"> [line "1"> [id "91996789"> [msg "BAD UA BLOCK"> [hostname "mydomain.com"> [uri "/admin/"> [unique_id "YmhEsUkj-UhCPIMszGtGEQAAAA8"> Action: Intercepted (phase 1) Stopwatch: 1651000497800531 351 (- - -) Stopwatch2: 1651000497800531 351; combined=47, p1=20, p2=0, p3=0, p4=0, p5=27, sr=0, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.0.2. Server: Apache Engine-Mode: "ENABLED"
    0
  • cPRex Jurassic Moderator
    For that particular request, it seems they are trying to log in to domain.com/admin and their activity is triggering mod_security. However, if this is happening as frequently as you report, it would still be best to look to external firewall solutions since your server would have to process anything related to mod_security. Ideally, if the traffic can be stopped before they are even able to reach the server, that would be the ideal solution.
    0
  • msklut
    For that particular request, it seems they are trying to log in to domain.com/admin and their activity is triggering mod_security. However, if this is happening as frequently as you report, it would still be best to look to external firewall solutions since your server would have to process anything related to mod_security. Ideally, if the traffic can be stopped before they are even able to reach the server, that would be the ideal solution.

    OK. Can you think of anything else we should look at before going with an external option? We have not had these type of attacks before -- that's what's alarming and confusing.
    0
  • cPRex Jurassic Moderator
    I personally don't have additional ideas, but that's mostly how everything works - I don't *need* to enable a slow query log, until I notice database slowness. I don't *need* to increase my RAM until my users grow and it starts running low. You didn't *need* to explore DoS protection options, until today. If you'd like to submit a ticket to our team we could at least check the system for known security problems and ensure cPanel itself is working well.
    0
  • msklut
    I personally don't have additional ideas, but that's mostly how everything works - I don't *need* to enable a slow query log, until I notice database slowness. I don't *need* to increase my RAM until my users grow and it starts running low. You didn't *need* to explore DoS protection options, until today. If you'd like to submit a ticket to our team we could at least check the system for known security problems and ensure cPanel itself is working well.

    OK. We've had CSF and cPhulk since the beginning. Just odd how it only started presenting an issue years later.
    0
  • Mise
    the overload could be because csf should execute the blocking and write the ips inside the csf.deny file. The attack seem to be string chains inside the User Agent header, and then returning a 406 error. Perhaps you could mitigate the situation moving the blocking into the .htacces of the atacked website, and then disabling the modsecurity rule. In that way the csf could be free of all that work The ideal thing would be studying the logs, to see what those headers contains. And then build the precise rule inside the .htaccess with related strings. Something like this although with your strings: RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] ... and so on you can find many examples of HTTP_USER_AGENT for .htaccess everywhere In that way you could disable the modsecurity rule, to convert that overload in simple common requests. And csf would be free of all that work. In case of different attacked websites you could include these rules inside the Apache configuration and later disable that modsecurity rule
    0
  • msklut
    the overload could be because csf should execute the blocking and write the ips inside the csf.deny file. The attack seem to be string chains inside the User Agent header, and then returning a 406 error. Perhaps you could mitigate the situation moving the blocking into the .htacces of the atacked website, and then disabling the modsecurity rule. In that way the csf could be free of all that work The ideal thing would be studying the logs, to see what those headers contains. And then build the precise rule inside the .htaccess with related strings. Something like this although with your strings: RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] ... and so on you can find many examples of HTTP_USER_AGENT for .htaccess everywhere In that way you could disable the modsecurity rule, to convert that overload in simple common requests. And csf would be free of all that work. In case of different attacked websites you could include these rules inside the Apache configuration and later disable that modsecurity rule

    have you heard of this? Looks like it has all the htaccess rewrite rules that would be necessary:
    0
  • msklut
    The .htaccess rules seem to be working pretty well. Thanks for the suggestion. Quick question... Apache logs are showing an error for this rewrite rule. Any ideas? RewriteCond: cannot compile regular expression
    RewriteCond %{HTTP_USER_AGENT} (acapbot|acoonbot|asterias|attackbot|backdorbot|becomebot|binlar|blackwidow|blekkobot|blexbot|blowfish|bullseye|bunnys|butterfly|careerbot|casper|checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|cy_cho|datacha|demon|diavol|discobot|dittospyder|dotbot|dotnetdotcom|dumbot|emailcollector|emailsiphon|emailwolf|extract|eyenetie|feedfinder|flaming|flashget|flicky|foobot|g00g1e|getright|gigabot|go-ahead-got|gozilla|grabnet|grafula|harvest|heritrix|httrack|icarus6j|jetbot|jetcar|jikespider|kmccrew|leechftp|libweb|linkextractor|linkscan|linkwalker|loader|masscan|miner|mechanize|morfeus|moveoverbot|netmechanic|netspider|nicerspro|nikto|ninja|nutch|octopus|pagegrabber|petalbot|planetwork|postrank|proximic|purebot|pycurl|python|queryn|queryseeker|radian6|radiation|realdownload|scooter|seekerspider|semalt|siclab|sindice|sistrix|sitebot|siteexplorer|sitesnagger|skygrid|smartdownload|snoopy|sosospider|spankbot|spbot|sqlmap|stackrambler|stripper|sucker|surftbot|sux0r|suzukacz|suzuran|takeout|teleport|telesoft|true_robots|turingos|turnit|vampire|vikspider|voideye|webleacher|webreaper|webstripper|webvac|webviewer|webwhacker|winhttp|wwwoffle|woxbot|xaldon|xxxyy|yamanalab|yioopbot|youda|zeus|zmeu|zune|zyborg) [NC] RewriteRule .* - [F,L]
    0
  • msklut
    Following up on this... We noticed immediate changes when we enabled the DoS rules in ModSecurity (which are disabled by default). /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/crs-setup.conf (below shows the rule enabled without the '#') # # Optional DoS protection against clients making requests too quickly. # # When a client is making more than 100 requests (excluding static files) within # 60 seconds, this is considered a 'burst'. After two bursts, the client is # blocked for 600 seconds. # # Requests to static files are not counted towards DoS; they are listed in the # 'tx.static_extensions' setting, which you can change in this file (see # section "HTTP Policy Settings"). # # For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. # # Uncomment this rule to use this feature: # SecAction \ "id:900700,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.dos_burst_time_slice=60',\ setvar:'tx.dos_counter_threshold=100',\ setvar:'tx.dos_block_timeout=600'"
    0
  • Mise
    I would try somehting like this depending of the attack strings: RewriteCond %{HTTP_USER_AGENT} ^.*(string1|string2|string3.....).*$ [NC] RewriteRule ^ 406 [L,R] letters between [..] like [NC] are conditional flags when there is more than one rule, and also for other purposes. Errors can appears because this reason. Here one manual:
    0

Please sign in to leave a comment.