Skip to main content

Blocking httpd floods

Comments

8 comments

  • Muhammed Fasal
    You can block an IP range via your CSF firewall, If you need to whitelist or block a range of IP addresses using CSF, it can be done, but you need to use the CIDR format. For example, to block 192.168.0.0 to 192.168.0.255 you would add 192.168.0.0/24 to the blocked list. If you are unsure how to convert a range of IP"s to CIDR, I find the following site helpful. You enter the starting IP, and ending IP, and it will create the CIDR entries for you. ip2cidr.com
    0
  • verdon
    Thanks Muhammed. I know (and do) that... it's identifying the ranges programatically that would be nice. Monitoring logs and then manually blocking them is like playing 'whack a mole'.
    0
  • Infopro
    I do use CSF but I can't use the CT_Limit section to help with this, because it's distributed.

    You should use this. It will help.
    0
  • verdon
    You should use this. It will help.

    I guess what I'm concerned about, is that I currently have it set to 300, which is the recommended value. These floods are being distributed across ranges of IP addresses. I would have to set the value to somewhere in the neighbourhood of 40 or 50 to catch any of the individual addresses, which I'm sure would lead to all sorts of false positives with IMAP/FTP and likely even HTTP connections. Am I understanding this wrong?
    0
  • Infopro
    I use the default settings as well. I also use very low numbers for Login Failure Blocking and Alerts options. X failed logins, and you're kicked to the curb. Searching my inbox for: blocked distributed attack
    0
  • quizknows
    Have you considered using ModSecurity's connections engine? you can limit simultaneous read/write connection states per IP. Reference Manual " SpiderLabs/ModSecurity Wiki " GitHub Reference Manual " SpiderLabs/ModSecurity Wiki " GitHub In short, turn on the connections engine in WHM modsecurity settings, and in your modsec2.user.conf file add the settings such as: SecConnReadStateLimit 20 "!@ipMatch 127.0.0.1" SecConnWriteStateLimit 20 "!@ipMatch 127.0.0.1" This would limit individual IPs, other than localhost, to 20 apache connections in the read state or write state per IP address. It may not help with extremely distributed stuff but it's a good place to start. I have not tested it but you may get away trying to put those in a userdata / custom vhost config for the domain itself as opposed to modsec2.user.conf, so that tighter limits can be set affecting only one domain. I'm not sure that's supported but I don't see why it wouldn't be. Regardless I've seen a lot of people use these settings server-wide with some success. YMMV.
    0
  • verdon
    Ya. That's great for that. In my case, it's not distributed dictionary attacks... it's just bots endlessly crawling through events calendars and file download areas, ignoring robots.txt files, not even identifying themselves as bots.... just flooding with http requests, that look legit other than the pattern and the volume. I'll have a closer look at that area of CSF config though. It's been a while since I really read it through line-by-line. Thanks :-)
    0
  • verdon
    Have you considered using ModSecurity's connections engine? you can limit simultaneous read/write connection states per IP.

    I wasn't aware of that. Thanks for the pointer!
    0

Please sign in to leave a comment.